CN110574406B - Key configuration method, device and system - Google Patents

Key configuration method, device and system Download PDF

Info

Publication number
CN110574406B
CN110574406B CN201780090099.0A CN201780090099A CN110574406B CN 110574406 B CN110574406 B CN 110574406B CN 201780090099 A CN201780090099 A CN 201780090099A CN 110574406 B CN110574406 B CN 110574406B
Authority
CN
China
Prior art keywords
user plane
algorithm
protection
key
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201780090099.0A
Other languages
Chinese (zh)
Other versions
CN110574406A (en
Inventor
张博
吴�荣
甘露
李岩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN110574406A publication Critical patent/CN110574406A/en
Application granted granted Critical
Publication of CN110574406B publication Critical patent/CN110574406B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/041Key generation or derivation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention discloses a key configuration method, a device and a system, wherein the method comprises the following steps: a strategy function network element receives a request for communication between user equipment and network equipment; determining a user plane protection mechanism based on the request, UE registration information, signed service data and service security requirements; when the network equipment is CN equipment, the strategy function network element sends a user plane protection mechanism to the algorithm network element; the method comprises the steps that an algorithm network element determines a security protection algorithm based on a user plane protection mechanism, generates a first user plane protection key based on the security protection algorithm, sends the first user plane protection key to CN equipment, sends the security protection algorithm to user equipment, and the user equipment generates a second user plane protection key based on the security protection algorithm. The embodiment of the invention can realize that the user equipment and the network equipment respectively complete the configuration of the user plane protection key in the 5G communication, improve the safety of user plane data transmission and realize the network safety protection.

Description

Key configuration method, device and system
Technical Field
The present invention relates to the field of communications, and in particular, to a method, an apparatus, and a system for configuring a key.
Background
In the existing network security architecture, a hop-by-hop mode is adopted for security protection of data, namely, security protection is performed in a segmented mode. Taking a transmission link of data from a terminal device, a base station, a serving gateway and a PDN gateway as an example, security protection is performed between the terminal device and the base station, security protection is performed between the base station and the serving gateway, and security protection is performed between the serving gateway and the PDN gateway during data transmission, which may cause data leakage if an intermediate node has a problem.
In addition, in the existing network security architecture, a PDCD air interface protection mechanism is adopted between the terminal device and the base station. The PDCD air interface protection mechanism only supports one set of user data protection mechanism, that is, even if multiple types of service data are transmitted between the terminal device and the base station, the multiple types of service data can only be safely protected by using the same encryption algorithm and integrity protection algorithm. It can be seen that the prior art does not support differentiated security protection, and all service data at the base station side need to be uniformly secured.
In addition, in future 5G planning, network elements in a 5G network are required to support service-based security policy negotiation, while currently the security algorithm negotiation in LTE is only used for the security algorithm negotiation of the user plane or the control plane. Service-based security policy negotiation is not supported, so the existing negotiation mechanism of LTE cannot be directly applied to future 5G communication.
Disclosure of Invention
The embodiment of the invention discloses a key configuration method, a device and a system, which can realize that user equipment and network equipment respectively complete the configuration of a user plane protection key in 5G communication, improve the security of user plane data transmission and realize network security protection.
In a first aspect, an embodiment of the present invention provides a key configuration method, which is applied to a policy function network element side of a communication system, and the method includes:
a strategy function network element receives a request for communication between user equipment and network equipment; the request comprises a session identifier, a user equipment identifier and indicating information of safety requirements, wherein the indicating information of the safety requirements is used for indicating the safety requirements of the user equipment and/or the service safety requirements;
the policy function network element determines a user plane protection mechanism based on the request and at least one of UE registration information fed back by a unified data management network element (UDM), signed service data fed back by the UDM and service security requirements fed back by an application function network element (AF); the user plane protection mechanism is used for indicating whether user plane data transmitted between the user equipment and the network equipment needs to be encrypted and/or integrity protection.
When the network equipment is access network AN equipment, the strategy function network element sends the user plane protection mechanism to the AN equipment; the AN equipment is used for determining a security protection algorithm based on the user plane protection mechanism and generating a first user plane protection key based on the security protection algorithm; the AN equipment is further used for sending the security protection algorithm to the user equipment so that the user equipment can generate a second user plane protection key based on the security protection algorithm;
when the network equipment is core network CN equipment, the strategy function network element sends the user plane protection mechanism to an algorithm network element; the algorithm network element is configured to determine a security protection algorithm based on the user plane protection mechanism, generate a first user plane protection key based on the security protection algorithm, and send the first user plane protection key to the CN device; the algorithm network element is further configured to send the security protection algorithm to the user equipment, so that the user equipment generates a second user plane protection key based on the security protection algorithm;
when the first user plane protection key is used for carrying out security protection on user plane data, the second user plane protection key is used for restoring the user plane data; when the second user plane protection key is used for carrying out security protection on user plane data, the first user plane protection key is used for restoring the user plane data; wherein the security protection indicates whether to encrypt and/or whether to protect integrity as indicated by the user plane protection mechanism.
With reference to the first aspect, in a possible implementation manner, the request further includes at least one of a service identifier, a user equipment service identifier, a data network identifier DNN, and a user equipment security capability.
The request is an attach request; the attachment request is initiated by the user equipment to an authentication server network element AUSF; the attachment request is used for bidirectional authentication between the network equipment and the AUSF, and is also used for triggering the policy function network element to determine a user plane protection mechanism;
or, the request is a session request; the session request is initiated by the user equipment to a session management network element (SMF), or initiated by an access and mobility management network element (AMF) to the SMF; the session request is used for establishing a session between the network device and the SMF, and is also used for triggering the policy function network element to determine a user plane protection mechanism;
or, the request is a policy request; the policy request is initiated by the SMF to the policy function network element, and the policy request is used to trigger the policy function network element to determine a user plane protection mechanism;
with reference to the first aspect, in a possible implementation manner, the user plane protection mechanism is further configured to indicate at least one of a security protection algorithm, a key length, and a key update period that needs to be adopted for user plane data transmitted between the user equipment and the network device.
The policy function network element comprises one of a policy control node PCF, an authentication server network element AUSF, an access and mobility management function network element AMF, a session management network element SMF and CN equipment.
The CN equipment is a user plane node (UPF); the arithmetic network element comprises at least one of the PCF, the AUSF, the AMF, the SMF and the AN equipment.
With reference to the first aspect, in a possible implementation manner, the AN apparatus is configured to determine a security protection algorithm based on the user plane protection mechanism, and includes:
and if the user plane protection mechanism does not comprise a security protection algorithm, determining the security protection algorithm based on at least one of the user plane protection mechanism, the user equipment security capability and the algorithm priority list supported by the AN equipment.
And if the user plane protection mechanism comprises a safety protection algorithm, directly acquiring the safety protection algorithm in the user plane protection mechanism.
With reference to the first aspect, in a possible implementation manner, the algorithm network element is configured to determine a security protection algorithm based on the user plane protection mechanism, and includes:
and if the user plane protection mechanism does not comprise a security protection algorithm, determining the security protection algorithm based on at least one item in the user plane protection mechanism, the security capability of the user equipment and the algorithm priority list supported by the CN equipment.
And if the user plane protection mechanism comprises a safety protection algorithm, directly acquiring the safety protection algorithm in the user plane protection mechanism.
With reference to the first aspect, in a possible implementation manner, when the network device is AN access point device, generating a first user plane protection key based on the security protection algorithm includes:
a first user plane protection Key (KDF) (K _ AN, UP algorithm ID), where K _ AN is a base station key derived by the AMF according to a basic key after authentication or a key derived again after authentication, and the AN device obtains the K _ AN from the AMF;
when the network device is a CN device, generating a first user plane protection key based on the security protection algorithm, including:
a first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID), where the K _ algorithm network element is a base station key derived by the AMF or the AUSF according to a basic key after authentication or a key derived again after authentication, and the algorithm network element obtains the K _ algorithm network element from the AMF or the AUSF after authentication;
wherein, the UP algorithm ID is the identifier of an encryption algorithm or the identifier of an integrity protection algorithm; the KDF is a key derivation function.
With reference to the first aspect, in a possible implementation manner, the user plane data is carried through a quality of service flow Qos flow transport channel;
before determining the user plane protection mechanism, the method comprises the following steps: determining a QoS flow ID corresponding to the Qos flow transmission channel;
determining a user plane protection mechanism, comprising: determining a user plane protection mechanism corresponding to the QoS flow ID; wherein the QoS flow ID has a mapping relation with the user plane protection mechanism.
With reference to the first aspect, in a possible implementation manner, the determining a Qos flow ID corresponding to the Qos flow transmission channel includes:
selecting a QoS flow ID corresponding to a preset Qos flow transmission channel based on the security requirement and/or the Qos requirement;
or, based on the security requirement and/or the Qos requirement, a Qos flow transmission channel is newly established, and a Qos flow ID corresponding to the Qos flow transmission channel is generated.
The safety requirement is indicated by at least one of the indication information, the UE registration information, the signed service data and the AF feedback service safety requirement; the Qos requirements are requirements for quality of service parameters in the communication network.
With reference to the first aspect, in a possible implementation manner, the user plane data is carried through a data radio bearer DRB transport channel;
Before determining the user plane protection mechanism, the method comprises the following steps: determining a data radio bearer identification (DRB ID) corresponding to the DRB transmission channel;
determining a user plane protection mechanism, comprising: determining a user plane protection mechanism corresponding to the DRB ID; wherein, the DRB ID has a mapping relation with the user plane protection mechanism.
With reference to the first aspect, in a possible implementation manner, the determining a DRB ID corresponding to the DRB transmission channel includes:
selecting a DRB ID corresponding to a preset DRB transmission channel based on the security requirement and/or the Qos requirement;
or, based on the security requirement and/or the Qos requirement, newly establishing a DRB transmission channel, and generating a DRB ID corresponding to the DRB transmission channel.
The safety requirement is indicated by at least one of the indication information, the UE registration information, the signed service data and the AF feedback service safety requirement; the Qos requirements are requirements for quality of service parameters in the communication network.
With reference to the first aspect, in a possible implementation manner, the user plane data is carried through a session transmission channel;
before determining the user plane protection mechanism, the method comprises the following steps: determining a session identifier (session ID) corresponding to the session transmission channel;
Determining a user plane protection mechanism, comprising: determining a user plane protection mechanism corresponding to the session ID; wherein the session ID and the user plane protection mechanism have a mapping relationship.
In a possible embodiment, determining the user plane protection mechanism further comprises:
and establishing the mapping from the session ID and the QoS flow ID to the DRB ID, and mapping the QoS flow with the same user plane protection mechanism to the same DRB.
With reference to the first aspect, in a possible implementation manner, when the network device is AN access point device, generating a first user plane protection key based on the security protection algorithm includes:
the first user plane protection key is KDF (K _ AN, UP algorithm ID); or,
the first user plane protection key is KDF (K _ AN, UP algorithm ID, flow ID); or,
the first user plane protection key is KDF (K _ AN, UP algorithm ID, session ID); or,
the first user plane protection key is KDF (K _ AN, UP algorithm ID, DRB ID);
when the network device is a CN device, generating a first user plane protection key based on the security protection algorithm, including:
the first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID); or,
The first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID, flow ID); or,
the first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID, session ID); or, the first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID, DRB ID);
with reference to the first aspect, in a possible implementation manner, before determining the user plane protection mechanism, the method further includes:
and based on the session request, the user equipment performs secondary authentication with a data network DN and feeds back an authentication result to the policy function network element so that the policy function network element determines a user plane protection mechanism by referring to the authentication result.
In a second aspect, an embodiment of the present invention provides a policy function network element, configured to implement the method in the first aspect, where the policy function network element includes: the device comprises a receiving module, a strategy module and a sending module, wherein:
the receiving module is used for receiving a request of communication between user equipment and network equipment; the request comprises a session identifier, a user equipment identifier and indicating information of safety requirements, wherein the indicating information of the safety requirements is used for indicating the safety requirements of the user equipment and/or the service safety requirements;
The policy module is used for determining a user plane protection mechanism based on the request and at least one of UE registration information fed back by a unified data management network element (UDM), signed service data fed back by the UDM and service security requirements fed back by an application function network element (AF); the user plane protection mechanism is used for indicating whether user plane data transmitted between the user equipment and the network equipment needs to be encrypted or integrity protected or whether encryption and integrity protection are needed simultaneously.
The sending module is configured to send the user plane protection mechanism to AN Access Network (AN) device when the AN device is the AN device; the AN equipment is used for determining a security protection algorithm based on the user plane protection mechanism and generating a first user plane protection key based on the security protection algorithm; the AN equipment is further used for sending the security protection algorithm to the user equipment so that the user equipment can generate a second user plane protection key based on the security protection algorithm;
the sending module is further configured to send the user plane protection mechanism to an algorithm network element when the network device is a core network CN device; the algorithm network element is configured to determine a security protection algorithm based on the user plane protection mechanism, generate a first user plane protection key based on the security protection algorithm, and send the first user plane protection key to the CN device; the algorithm network element is further configured to send the security protection algorithm to the user equipment, so that the user equipment generates a second user plane protection key based on the security protection algorithm.
In a third aspect, an embodiment of the present invention provides another policy function network element, where the policy function network element includes a processor, a memory, a transmitter, and a receiver, and the processor, the memory, the transmitter, and the receiver are connected (e.g., connected to each other through a bus). The processor is used for reading the program codes stored in the memory and executing the following steps:
receiving, by a receiver, a request for communication between a user equipment and a network device; the request comprises a session identifier, a user equipment identifier and indicating information of safety requirements, wherein the indicating information of the safety requirements is used for indicating the safety requirements of the user equipment and/or the service safety requirements;
the processor determines a user plane protection mechanism based on the request and at least one of UE registration information fed back by a unified data management network element (UDM), signed service data fed back by the UDM and service security requirements fed back by an application function network element (AF); the user plane protection mechanism is used for indicating whether user plane data transmitted between the user equipment and the network equipment needs to be encrypted or integrity protected or whether encryption and integrity protection are needed simultaneously.
When the network equipment is access network AN equipment, a transmitter is used for transmitting the user plane protection mechanism to the AN equipment; the AN equipment is used for determining a security protection algorithm based on the user plane protection mechanism and generating a first user plane protection key based on the security protection algorithm; the AN equipment is further used for sending the security protection algorithm to the user equipment so that the user equipment can generate a second user plane protection key based on the security protection algorithm;
when the network equipment is core network CN equipment, a transmitter is used for sending the user plane protection mechanism to an algorithm network element; the algorithm network element is configured to determine a security protection algorithm based on the user plane protection mechanism, generate a first user plane protection key based on the security protection algorithm, and send the first user plane protection key to the CN device; the algorithm network element is further configured to send the security protection algorithm to the user equipment, so that the user equipment generates a second user plane protection key based on the security protection algorithm.
With reference to the third aspect, in a possible embodiment, the request further includes at least one of a service identification, a user equipment service identification, a data network identification, DNN, and a user equipment security capability.
With reference to the third aspect, in a possible embodiment, the request is an attach request; the attachment request is initiated by the user equipment to an authentication server network element AUSF; the attach request is used for performing bidirectional authentication between the network device and the AUSF, and is also used for triggering the policy function network element to determine a user plane protection mechanism;
with reference to the third aspect, in a possible embodiment, the request is a session request; the session request is initiated by the user equipment to a session management network element (SMF), or initiated by an access and mobility management network element (AMF) to the SMF; the session request is used for establishing a session between the network device and the SMF, and is also used for triggering the policy function network element to determine a user plane protection mechanism;
with reference to the third aspect, in a possible embodiment, the request is a policy request; the policy request is initiated by the SMF to the policy function network element, and the policy request is used to trigger the policy function network element to determine a user plane protection mechanism.
With reference to the third aspect, in a possible embodiment, the user plane protection mechanism is further configured to indicate at least one of a security protection algorithm, a key length, and a key update period that needs to be adopted for user plane data transmitted between the user equipment and the network device.
With reference to the third aspect, in a possible embodiment, the user plane protection mechanism is further configured to indicate a list of security protection algorithms with priorities that can be adopted by user plane data transmitted between the user equipment and the network device.
With reference to the third aspect, in a possible embodiment, the policy function network element includes one of a policy control node PCF, AN authentication server network element AUSF, AN access and mobility management function network element AMF, a session management network element SMF, and AN apparatus.
The CN equipment is a user plane node (UPF); the arithmetic network element comprises at least one of the PCF, the AUSF, the AMF, the SMF and the AN equipment.
With reference to the third aspect, in a possible embodiment, the AN apparatus is configured to determine a security protection algorithm based on the user plane protection mechanism, and includes:
and if the user plane protection mechanism does not comprise a security protection algorithm, determining the security protection algorithm based on at least one of the user plane protection mechanism, the user equipment security capability and the algorithm priority list supported by the AN equipment.
And if the user plane protection mechanism comprises a safety protection algorithm, directly acquiring the safety protection algorithm in the user plane protection mechanism.
With reference to the third aspect, in a possible embodiment, the algorithm network element is configured to determine a security protection algorithm based on the user plane protection mechanism, and includes:
and if the user plane protection mechanism does not comprise a security protection algorithm, determining the security protection algorithm based on at least one item in the user plane protection mechanism, the security capability of the user equipment and the algorithm priority list supported by the CN equipment.
And if the user plane protection mechanism comprises a safety protection algorithm, directly acquiring the safety protection algorithm in the user plane protection mechanism.
With reference to the third aspect, in a possible embodiment, when the network device is AN access point device, generating a first user plane protection key based on the security protection algorithm includes:
a first user plane protection Key (KDF) (K _ AN, UP algorithm ID), where K _ AN is a base station key derived by the AMF according to a basic key after authentication or a key derived again after authentication, and the AN device obtains the K _ AN from the AMF;
when the network device is a CN device, generating a first user plane protection key based on the security protection algorithm, including:
a first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID), where the K _ algorithm network element is a base station key derived by the AMF or the AUSF according to a basic key after authentication or a key derived again after authentication, and the algorithm network element obtains the K _ algorithm network element from the AMF or the AUSF after authentication;
Wherein, the UP algorithm ID is the identifier of an encryption algorithm or the identifier of an integrity protection algorithm; the KDF is a key derivation function.
With reference to the third aspect, in a possible embodiment, the user plane data is carried by a quality of service flow Qos flow transport channel;
if a QoS flow ID corresponding to a QoS flow transmission channel already exists, and the QoS flow ID corresponding to the QoS flow meets a user plane protection mechanism, or a QoS requirement, or a user plane protection mechanism and a QoS requirement, selecting the QoS flow transmission channel to transmit user plane data; otherwise, establishing a Qos flow transmission channel and generating a QoS flow ID corresponding to the Qos flow transmission channel;
if a QoS flow ID corresponding to a Qos flow transmission channel exists, and the QoS flow corresponding to the QoS flow ID meets a user plane protection mechanism, selecting the Qos flow transmission channel to transmit user plane data; otherwise, establishing a Qos flow transmission channel and generating a QoS flow ID corresponding to the Qos flow transmission channel;
wherein the Qos requirement is a requirement for a quality of service parameter in the communication network.
With reference to the third aspect, in a possible embodiment, the user plane data is carried over a data radio bearer, DRB, transport channel;
If a data radio bearer identification (DRB ID) corresponding to a DRB transmission channel exists, and the DRB corresponding to the DRB ID meets a user plane protection mechanism, a quality of service (Qos) requirement, or a user plane protection mechanism and a quality of service (QoS) requirement, selecting the DRB transmission channel to transmit user data; otherwise, a DRB transmission channel is newly built, and a DRB ID corresponding to the DRB transmission channel is generated;
or, if a DRB ID corresponding to the DRB transmission channel already exists and the DRB corresponding to the DRB ID satisfies the user plane protection mechanism, selecting the DRB transmission channel to transmit the user data; otherwise, a DRB transmission channel is newly established, and a DRB ID corresponding to the DRB transmission channel is generated.
Wherein, the DRB ID has a mapping relation with the user plane protection mechanism.
Optionally, the user plane data is carried through a session transmission channel;
if a session identifier (session ID) corresponding to a session transmission channel exists, and the session corresponding to the session ID meets a user plane protection mechanism, a quality of service (Qos) requirement, or a user plane protection mechanism and a quality of service (QoS) requirement, selecting the session transmission channel to transmit user data; otherwise, a session transmission channel is created, and a session ID corresponding to the session transmission channel is generated.
Or, if a session ID corresponding to the session transmission channel exists and the session corresponding to the session ID satisfies a user plane protection mechanism, selecting the session transmission channel to transmit user data; otherwise, a session transmission channel is created, and a session ID corresponding to the session transmission channel is generated.
Wherein the session ID and the user plane protection mechanism have a mapping relationship.
With reference to the third aspect, in a possible embodiment, the session ID and the mapping from the QoS flow ID to the DRB ID are established, and QoS flows with the same user plane protection mechanism are mapped to the same DRB.
With reference to the third aspect, in a possible embodiment, when the network device is AN device, generating a first user plane protection key based on the security protection algorithm includes:
the first user plane protection key is KDF (K _ AN, UP algorithm ID); or,
the first user plane protection key is KDF (K _ AN, UP algorithm ID, flow ID); or,
the first user plane protection key is KDF (K _ AN, UP algorithm ID, session ID); or,
the first user plane protection key is KDF (K _ AN, UP algorithm ID, DRB ID).
With reference to the third aspect, in a possible embodiment, when the network device is a CN device, generating a first user plane protection key based on the security protection algorithm includes:
the first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID); or,
the first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID, flow ID); or,
The first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID, session ID); or, the first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID, DRB ID).
In a fourth aspect, an embodiment of the present invention provides a communication system, where the communication system includes: the network comprises user equipment, a policy function network element, network equipment, a unified data management network element UDM, an application function network element AF and an algorithm network element, wherein the policy function network element is connected with the user equipment and the network equipment, the policy function network element is also connected with the UDM and the AF, and the algorithm network element is connected with the policy function network element and the network equipment, wherein:
the policy function network element is used for receiving a request for communication between user equipment and network equipment; the request comprises a session identifier, a user equipment identifier and indicating information of safety requirements, wherein the indicating information of the safety requirements is used for indicating the safety requirements of the user equipment and/or the service safety requirements;
the policy function network element is further configured to determine a user plane protection mechanism based on the request and at least one of UE registration information fed back by the UDM, subscription service data fed back by the UDM, and service security requirements fed back by the AF; the user plane protection mechanism is used for indicating whether user plane data transmitted between the user equipment and the network equipment needs to be encrypted or integrity protected or whether encryption and integrity protection are needed simultaneously.
When the network device is AN Access Network (AN) device, the policy function network element is further configured to send the user plane protection mechanism to the AN device; the AN equipment is used for determining a security protection algorithm based on the user plane protection mechanism; the AN equipment is also used for generating a first user plane protection key based on the security protection algorithm; the AN equipment is also used for sending the security protection algorithm to the user equipment; the user equipment is used for generating a second user plane protection key based on the security protection algorithm;
when the network device is a core network CN device, the policy function network element is configured to send the user plane protection mechanism to an algorithm network element; the algorithm network element is further configured to determine a security protection algorithm based on the user plane protection mechanism; the algorithm network element is further configured to generate a first user plane protection key based on the security protection algorithm; the algorithm network element is further configured to send the first user plane protection key to the CN device; the algorithm network element is further configured to send the security protection algorithm to the user equipment; the user equipment is used for generating a second user plane protection key based on the security protection algorithm.
In a fifth aspect, an embodiment of the present invention provides a key configuration method, including:
user equipment sends a request, wherein the request comprises an identifier of the user equipment;
the user equipment receives a response, the response carries a security protection algorithm, the security protection algorithm is determined by a user plane protection mechanism, and the user plane protection mechanism is determined by a policy function network element based on the request and at least one of UE registration information fed back by a unified data management network element (UDM), signed service data fed back by the UDM and service security requirements fed back by an application function network element (AF); the user plane protection mechanism is used for indicating whether user plane data transmitted between the user equipment and the network equipment needs to be encrypted or not, or whether integrity protection is needed or not, or whether encryption and integrity protection are needed simultaneously;
and the user equipment determines a user plane protection key based on the security protection algorithm, wherein the user plane protection key is used for performing security protection on user plane data transmitted between the user equipment and the network equipment.
Optionally, the request further includes at least one of a service identifier, a user equipment service identifier, a data network identifier DNN, and a user equipment security capability.
Optionally, the request is an attach request; the attachment request is initiated by the user equipment to an authentication server network element AUSF; the attach request is used for performing bidirectional authentication between the network device and the AUSF, and is also used for triggering the policy function network element to determine a user plane protection mechanism;
or, the request is a session request; the session request is initiated by the user equipment to a session management network element (SMF), or initiated by an access and mobility management network element (AMF) to the SMF; the session request is used for establishing a session between the network device and the SMF, and is also used for triggering the policy function network element to determine a user plane protection mechanism;
or, the request is a policy request; the policy request is initiated by the SMF to the policy function network element, and the policy request is used to trigger the policy function network element to determine a user plane protection mechanism.
Optionally, the method of any one of claims 40 to 42,
the user plane protection mechanism is further configured to indicate at least one of a security protection algorithm, a key length, and a key update period that needs to be adopted for user plane data transmitted between the user equipment and the network equipment.
Alternatively, the method of any one of claims 40 to 43,
the user plane protection mechanism is further configured to indicate a list of prioritized security protection algorithms that may be employed by user plane data transmitted between the user equipment and the network device.
Optionally, the policy function network element includes one of a policy control node PCF, AN authentication server network element AUSF, AN access and mobility management function network element AMF, a session management network element SMF, and AN apparatus.
Alternatively, the method of any one of claims 40 to 45,
the user equipment determines a user plane protection key based on the security protection algorithm, and the method comprises the following steps:
a user plane protection Key (KDF) (K _ AN, UP algorithm ID), where K _ AN is a base station key derived by the AMF according to a basic key after authentication or a key derived again after authentication, and the AN device obtains the K _ AN from the AMF;
when the network device is a CN device, generating a first user plane protection key based on the security protection algorithm, including:
a user plane protection key is KDF (K _ algorithm network element, UP algorithm ID), wherein the K _ algorithm network element is a base station key derived by the user equipment according to a basic key after authentication or a key derived again after authentication is successful;
Wherein, the UP algorithm ID is the identifier of an encryption algorithm or the identifier of an integrity protection algorithm; the KDF is a key derivation function.
Optionally, the network device is AN access network AN device or a user plane node UPF.
In a sixth aspect, an embodiment of the present invention provides a key configuration method, including:
a user plane node receives a response, wherein the response carries a security protection algorithm, the security protection algorithm is determined by a user plane protection mechanism, and the user plane protection mechanism is determined by a policy function network element based on the request and at least one of UE registration information fed back by a unified data management network element (UDM), signed service data fed back by the UDM and service security requirements fed back by an application function network element (AF); the user plane protection mechanism is used for indicating whether user plane data transmitted between user equipment and the user plane node needs to be encrypted or not, or whether integrity protection is needed or not, or whether encryption and integrity protection are needed at the same time;
and the user plane node determines a user plane protection key based on the security protection algorithm, wherein the user plane protection key is used for performing security protection on user plane data transmitted between user equipment and the user plane node.
Optionally, the user plane protection mechanism is further configured to indicate at least one of a security protection algorithm, a key length, and a key update period that needs to be adopted for user plane data transmitted between the user equipment and the network device.
Optionally, the user plane protection mechanism is further configured to indicate a list of security protection algorithms with priorities that can be used for user plane data transmitted between the user equipment and the network device.
Optionally, the policy function network element includes one of a policy control node PCF, AN authentication server network element AUSF, AN access and mobility management function network element AMF, a session management network element SMF, and AN apparatus.
In a seventh aspect, an embodiment of the present invention provides a key configuration method, including:
the access network equipment receives a user plane protection mechanism, wherein the user plane protection mechanism is determined by at least one of UE registration information fed back by a unified data management network element (UDM), signed service data fed back by the UDM and service security requirements fed back by an application function network element (AF) based on the request by a policy function network element; the user plane protection mechanism is used for indicating whether user plane data transmitted between the user equipment and the network equipment needs to be encrypted or not, or whether integrity protection is needed or not, or whether encryption and integrity protection are needed simultaneously;
The access network equipment determines a security protection algorithm based on the user plane protection mechanism, and generates a first user plane protection key based on the security protection algorithm;
and the access network equipment sends the security protection algorithm to the user equipment so that the user equipment can generate a second user plane protection key based on the security protection algorithm.
Optionally, the user plane protection mechanism is further configured to indicate at least one of a security protection algorithm, a key length, and a key update period that needs to be adopted for user plane data transmitted between the user equipment and the network device.
Optionally, the user plane protection mechanism is further configured to indicate a list of security protection algorithms with priorities that can be used for user plane data transmitted between the user equipment and the network device.
Optionally, the policy function network element includes one of a policy control node PCF, AN authentication server network element AUSF, AN access and mobility management function network element AMF, a session management network element SMF, and AN apparatus.
Optionally, the access network device is configured to determine a security protection algorithm based on the user plane protection mechanism, and includes:
and if the user plane protection mechanism does not comprise a security protection algorithm, determining the security protection algorithm based on at least one item in the user plane protection mechanism and the algorithm priority list supported by the access network equipment.
And if the user plane protection mechanism comprises a safety protection algorithm, directly acquiring the safety protection algorithm in the user plane protection mechanism.
Optionally, generating a first user plane protection key based on the security protection algorithm includes:
a first user plane protection key is KDF (K _ AN, UP algorithm ID), where K _ AN is a base station key derived by the AMF according to a basic key after authentication or a key derived again after authentication, and the access network device obtains the K _ AN from the AMF;
wherein, the UP algorithm ID is the identifier of an encryption algorithm or the identifier of an integrity protection algorithm; the KDF is a key derivation function
In an eighth aspect, an embodiment of the present invention provides a key configuration method, including:
a session management network element receives a request for communication between user equipment and network equipment; the request comprises a session identifier, a user equipment identifier and indicating information of safety requirements, wherein the indicating information of the safety requirements is used for indicating the safety requirements of the user equipment and/or the service safety requirements;
the session management network element determines a user plane protection mechanism based on the request and at least one of UE registration information fed back by a unified data management network element (UDM), signed service data fed back by the UDM and service security requirements fed back by an application function network element (AF); the user plane protection mechanism is used for indicating whether user plane data transmitted between the user equipment and the network equipment needs to be encrypted or integrity protected or not, or whether encryption and integrity protection are needed simultaneously or not;
When the network equipment is access network AN equipment, the session management network element sends the user plane protection mechanism to the AN equipment; the AN equipment is used for determining a security protection algorithm based on the user plane protection mechanism and generating a first user plane protection key based on the security protection algorithm; the AN equipment is further used for sending the security protection algorithm to the user equipment so that the user equipment can generate a second user plane protection key based on the security protection algorithm;
when the network equipment is core network CN equipment, the session management network element sends the user plane protection mechanism to an algorithm network element; the algorithm network element is configured to determine a security protection algorithm based on the user plane protection mechanism, generate a first user plane protection key based on the security protection algorithm, and send the first user plane protection key to the CN device; the algorithm network element is further configured to send the security protection algorithm to the user equipment, so that the user equipment generates a second user plane protection key based on the security protection algorithm.
Optionally, the request further includes at least one of a service identifier, a user equipment service identifier, a data network identifier DNN, and a user equipment security capability.
Optionally, the request is an attach request; the attachment request is initiated by the user equipment to an authentication server network element AUSF; the attach request is used for performing bidirectional authentication between the network device and the AUSF, and is also used for triggering the policy function network element to determine a user plane protection mechanism;
or, the request is a session request; the session request is initiated by the user equipment to a session management network element (SMF), or initiated by an access and mobility management network element (AMF) to the SMF; the session request is used for establishing a session between the network device and the SMF, and is also used for triggering the policy function network element to determine a user plane protection mechanism;
or, the request is a policy request; the policy request is initiated by the SMF to the policy function network element, and the policy request is used to trigger the policy function network element to determine a user plane protection mechanism.
Optionally, the user plane protection mechanism is further configured to indicate at least one of a security protection algorithm, a key length, and a key update period that needs to be adopted for user plane data transmitted between the user equipment and the network device.
Optionally, the user plane protection mechanism is further configured to indicate a list of security protection algorithms with priorities that can be used for user plane data transmitted between the user equipment and the network device.
Optionally, the session management network element determines that the user plane data is carried through a Qos flow transmission channel;
if a QoS flow ID corresponding to a QoS flow transmission channel already exists, and the QoS flow ID corresponding to the QoS flow meets a user plane protection mechanism, or a QoS requirement, or a user plane protection mechanism and a QoS requirement, selecting the QoS flow transmission channel to transmit user plane data; otherwise, establishing a Qos flow transmission channel and generating a QoS flow ID corresponding to the Qos flow transmission channel;
if a QoS flow ID corresponding to a Qos flow transmission channel exists, and the QoS flow corresponding to the QoS flow ID meets a user plane protection mechanism, selecting the Qos flow transmission channel to transmit user plane data; otherwise, establishing a Qos flow transmission channel and generating a QoS flow ID corresponding to the Qos flow transmission channel;
wherein the Qos requirement is a requirement for a quality of service parameter in the communication network.
Optionally, the session management network element determines that the user plane data is carried through a data radio bearer DRB transmission channel;
if a data radio bearer identification (DRB ID) corresponding to a DRB transmission channel exists, and the DRB corresponding to the DRB ID meets a user plane protection mechanism, a quality of service (Qos) requirement, or a user plane protection mechanism and a quality of service (QoS) requirement, selecting the DRB transmission channel to transmit user data; otherwise, a DRB transmission channel is newly built, and a DRB ID corresponding to the DRB transmission channel is generated;
Or, if a DRB ID corresponding to the DRB transmission channel already exists and the DRB corresponding to the DRB ID satisfies the user plane protection mechanism, selecting the DRB transmission channel to transmit the user data; otherwise, a DRB transmission channel is newly established, and a DRB ID corresponding to the DRB transmission channel is generated.
Wherein, the DRB ID has a mapping relation with the user plane protection mechanism.
Optionally, the session management network element determines that the user plane data is carried through a session transmission channel;
if a session identifier (session ID) corresponding to a session transmission channel exists, and the session corresponding to the session ID meets a user plane protection mechanism, a quality of service (Qos) requirement, or a user plane protection mechanism and a quality of service (QoS) requirement, selecting the session transmission channel to transmit user data; otherwise, a session transmission channel is created, and a session ID corresponding to the session transmission channel is generated.
Or, if a session ID corresponding to the session transmission channel exists and the session corresponding to the session ID satisfies a user plane protection mechanism, selecting the session transmission channel to transmit user data; otherwise, a session transmission channel is created, and a session ID corresponding to the session transmission channel is generated.
Wherein the session ID and the user plane protection mechanism have a mapping relationship.
In a ninth aspect, the present invention provides a readable non-volatile storage medium storing computer instructions, which includes computer instructions, and the computer instructions are executed to implement the method described in the first aspect.
In a tenth aspect, the present invention provides a readable non-volatile storage medium storing computer instructions, which includes computer instructions, and the computer instructions are executed to implement the method described in the fifth aspect.
In an eleventh aspect, the present invention provides a readable non-volatile storage medium storing computer instructions, which includes computer instructions, and the computer instructions are executed to implement the method described in the above sixth aspect.
In a twelfth aspect, an embodiment of the present invention provides a readable non-volatile storage medium storing computer instructions, which includes computer instructions, executed to implement the method described in the seventh aspect.
In a thirteenth aspect, the present invention provides a readable non-volatile storage medium storing computer instructions, which includes computer instructions, and the computer instructions are executed to implement the method described in the above eighth aspect.
In a fourteenth aspect, an embodiment of the present invention provides a computer program product, which is executed to implement the method described in the first aspect, or the fifth aspect, or the sixth aspect, or the seventh aspect, or the eighth aspect, when the computer program product runs on a computer.
By implementing the embodiment of the invention, a communication architecture based on the future 5G can be realized, when user plane data needs to be transmitted in the communication between the user equipment and the network equipment (access network equipment or core network equipment), the user equipment and the network equipment complete strategy negotiation, and after a user plane protection mechanism is determined, the user equipment and the network equipment respectively complete the configuration of a user plane protection key, thereby realizing the safety protection of the user plane data. The embodiment of the invention can realize the network security protection based on the Qos flow, DRB and session granularity, avoid the defect of hop-by-hop segmented protection mode and improve the security of user plane data transmission.
Drawings
The drawings that accompany the detailed description can be briefly described as follows.
Fig. 1 is a schematic diagram of a mobile communication network architecture according to an embodiment of the present invention;
FIG. 2 is a diagram of a data transmission channel according to an embodiment of the present invention;
Fig. 3-fig. 18 are schematic flow charts of key configuration methods provided by embodiments of the present invention;
fig. 19 is a schematic structural diagram of a policy function network element according to an embodiment of the present invention;
fig. 20 is a schematic structural diagram of a policy function network element according to another embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention.
For the understanding of the scheme, a network architecture to which the scheme of the embodiment of the present application may be applied is first described by way of example with reference to the accompanying drawings. Fig. 1 shows a network architecture for future mobile communications, which includes a user equipment and an operator network, which in turn includes a core network and a data network, and the user equipment accesses the operator network through an access network node. The method comprises the following specific steps:
a User Equipment (UE) is a logical entity, and specifically, the UE may be any one of a Terminal Equipment (Terminal Equipment), a Communication Device (Communication Device), and an Internet of Things (IoT) Device. The terminal device may be a smart phone (smart phone), a smart watch (smart watch), a smart tablet (smart tablet), or the like. The communication device may be a server, Gateway (GW), controller, or the like. The internet of things equipment can be a sensor, an electric meter, a water meter and the like.
AN Access Network (AN), which is responsible for access of the user equipment, may be a wireless access point, for example: base stations, Wireless Fidelity (Wi-Fi) access points, bluetooth access points, and the like, and may also be wired access points, such as: gateways, modems, fiber access, IP access, and the like.
A Data Network (DN), which may be an external network of an operator or a network controlled by the operator, is used to provide service services to users.
The CN serves as a bearer network to provide an interface to the DN, and provides communication connection, authentication, management, policy control, bearer completion for data services, and the like for the UE. Wherein, CN includes again: the access and mobility management network element, the session management network element, the authentication server network element, the policy control node, the application function network element, the user plane node, and the like, and the following description is specifically provided:
an Access and Mobility Management Function (AMF) for managing Access and Mobility of the UE.
A Session Management Function (SMF) is configured to perform Session Management, and perform establishment and Management of a Session (Session), a flow (flow), or a bearer (bearer). .
An Authentication server network element (AUSF), a node where the UE performs bidirectional Authentication with the operator network. The AUSF can be deployed independently as an independent logic function entity, and can also be integrated in AMF/SMF and other devices.
A Unified Data Manager (UDM) for storing UE registration information and possibly subscription service Data.
A Policy Control Function (PCF), where the PCF deploys a Policy control Function, and the Policy control Function is a Function of completing negotiation of a user plane protection mechanism according to a security requirement and determining the user plane protection mechanism in a network. It should be noted that the PCF may be taken as an independent logical functional entity, or may be integrated in other network elements. That is, in a specific implementation, the Policy control Function may be deployed in the PCF, or may be deployed in other network elements, such as a Mobility Management (MM) network element, a Session Management network element (SM), an Authentication server node (AUSF), a Policy and Charging Rules Function (PCRF), a Mobility Management Entity (MME), a Home Subscriber Server (HSS), an Authentication Center (AuC), an Authentication trust storage and Processing Function network element (ARPF), a Security Context Management network element (Security Management network element (SCMF), an Access network and Mobility Management Function (smmf), an Access network and Session Management Function (smmf), AN), a User Plane Function (UPF), and the like. In the embodiment of the present invention, a network element (e.g., PCF) deploying a policy control function may interact with an AAA server (external AAA server), an APP server, or a service server of a DN to obtain a security requirement of a DN side.
Application Function network element (AF): the policy decision module is used for storing service security requirements and providing policy decision information for the PCF.
User Plane node (User Plane Function, UPF): the UPF may be a gateway, a server, a controller, a user plane function network element, etc. The UPF may be located inside the operating network or outside the operating network.
It should be further noted that fig. 1 shows logical relationships among network elements, and in practice, some network elements may be deployed individually, or two or more network elements may be deployed in an entity in an integrated manner. For example, AMF and SMF may be deployed in one entity; or the AMF and SMF may be deployed separately in different entities.
Based on the above network architecture for mobile communication, the data transmission channels involved in the communication process are analyzed below.
From a vertical perspective, when the user equipment needs to communicate with the operator network, at least two aspects of communication are involved: (1) the communication between the user equipment and the access network, referred to as UE-AN communication, belongs to direct communication, and the UE is in communication connection with the AN through AN air interface. In order to realize the security of UE-AN communication, a user plane protection mechanism needs to be established between the UE and the AN. (2) The user equipment communicates with the core network, referred to as UE-CN communication for short. The UE-CN communication belongs to indirect communication, the UE is in communication connection with the CN through an access network, and in the process, the access network plays a role in transparent transmission or forwarding. In order to realize the security of UE-CN communication, a user plane protection mechanism needs to be established between the UE and the CN.
From a lateral perspective, the hardware infrastructure in a communication network can split up multiple virtual end-to-end networks, called network slices, each logically isolated from the process of user equipment to access network to core network to adapt to the different needs of various types of services. Wherein 1 network slice may include 1 or more sessions. In the data transmission process, different bearers may be adopted for different types of services, when the UE is in communication connection with AN access network or a core network, multiple bearers may exist in the same communication connection at the same time, where the bearers provide a logical transmission channel between UE-ANs or UE-CNs, and each bearer is associated with a Quality of Service (QoS) parameter set, such as a bit rate, a delay, AN error rate, and the like, describing AN attribute of the transmission channel. The transmission channel includes a session (e.g., PDU session), a Radio Bearer (e.g., Data Radio Bearer), a flow (e.g., QoS flow), and the like. For convenience of description, the following description will use PDU session, Data Radio Bearer, and QoS flow as examples.
Referring to fig. 2, fig. 2 is a simplified schematic diagram of a data transmission channel according to an embodiment of the present invention. As shown in fig. 2, the UE may be communicatively coupled to the AN and may also be communicatively coupled to a UPF in the core network. The network slice in the communication connection has multiple transmission channels, including a PDU session and one or more QoS flows logically arranged between the UE and the UPF, one or more Radio Bearer logically arranged between the UE and the AN, and AN N3 tunnel logically arranged between the AN and the UPF, which are described in detail as follows:
The PDU session is a coarse-grained data transmission channel between the UE and the UPF, and includes a Radio Bearer (Radio Bearer) segment and an N3 tunnel segment, and further includes a finer-grained QoS flow within the PDU session. In fig. 2, the PUD session includes an N3 tunnel, a plurality of Radio Bearer (Radio Bearer1, Radio Bearer2), and a plurality of QoS flows (QoS flow1, QoS flow2, QoS flow 3).
The Radio Bearer is a Bearer channel between the UE and the AN, the Radio Bearer supports a signaling Radio Bearer and a Data Radio Bearer (DRB), and different Radio bearers may include different QoS flows, in fig. 2, the Radio Bearer1 includes QoS flow1 and QoS flow2, and the Radio Bearer2 includes QoS flow3 only.
The N3 tunnel is a data transmission channel between the AN and the UPF, and may be used to transmit QoS flow data of the user equipment, and in fig. 2, the N3 tunnel includes QoS flow1, QoS flow2, and QoS flow 3.
The QoS flow is a fine-grained data transmission channel penetrating between the UE and the UPF, the QoS flow has uniform QoS requirements, and different QoS flows have different Qos flow identifications (QFI IDs).
In order to solve the defects of the prior art, based on the network architecture shown in fig. 1 and the data transmission channel architecture shown in fig. 2, an embodiment of the present invention provides a key configuration method, which is briefly described as follows:
1. A strategy function network element receives a request for communication between user equipment and network equipment;
the policy function network element is one of a policy control node PCF, an authentication server network element AUSF, an access and mobility management function network element AMF, a session management network element SMF and CN equipment.
Wherein the request is an attach request; or, the request is a session request; or, the request is a policy request;
the request comprises a session identifier, a user equipment identifier and indicating information of safety requirements, wherein the indicating information of the safety requirements is used for indicating the safety requirements of the user equipment and/or the service safety requirements; the request may further comprise at least one of a service identification, a user equipment service identification, a data network identification, DNN, user equipment security capabilities.
2. The policy function network element determines a user plane protection mechanism based on the request and at least one of UE registration information fed back by a unified data management network element (UDM), signed service data fed back by the UDM and service security requirements fed back by an application function network element (AF);
wherein the user plane protection mechanism is configured to indicate whether user plane data transmitted between the user equipment and the network device needs to be encrypted and/or integrity protected. The user plane protection mechanism is further configured to indicate at least one of a security protection algorithm, a key length, and a key update period that needs to be adopted for user plane data transmitted between the user equipment and the network equipment.
3. When the network equipment is access network AN equipment, the strategy function network element sends the user plane protection mechanism to the AN equipment;
the AN equipment determines a security protection algorithm based on the user plane protection mechanism;
the AN equipment generates a first user plane protection key based on the security protection algorithm;
the AN equipment sends the security protection algorithm to the user equipment;
the user equipment generates a second user surface protection key based on the security protection algorithm;
4. when the network device is a core network CN device (for example, a user plane node UPF), the policy function network element sends the user plane protection mechanism to an algorithm network element;
wherein the arithmetic network element is one of the PCF, the AUSF, the AMF, the SMF and the AN equipment.
The algorithm network element determines a security protection algorithm based on the user plane protection mechanism;
the algorithm network element generates a first user plane protection key based on the security protection algorithm;
the algorithm network element sends the first user plane protection key to the CN equipment;
the algorithm network element sends the security protection algorithm to the user equipment;
The user equipment generates a second user surface protection key based on the security protection algorithm;
it can be understood that, after the policy negotiation and the key configuration process are completed, when the user plane data needs to be transmitted in an uplink manner, the user equipment obtains the protected user plane data by using the second user plane protection key to protect the security of the user plane data, and then sends the protected user plane data to the network equipment; the network device may restore the protected user plane data according to the first user plane protection key to obtain the user plane data.
When the user plane data needs to be transmitted in a downlink manner, the network device uses the first user plane protection key to protect the security of the user plane data to obtain protected user plane data, then sends the protected user plane data to the user device, and the user device restores the protected user plane data according to the second user plane protection key to obtain the user plane data.
Next, according to the network architecture shown in fig. 1, the key configuration method provided in the embodiment of the present invention will be described from the viewpoint of granularity nondifferentiation and the viewpoint of granularity differentiation based on the UE-AN and the UE-CN, respectively.
First, a key configuration method provided in AN embodiment of the present invention is described from the viewpoint of not distinguishing granularity based on UE-AN, and as shown in fig. 3, the key configuration method provided in the embodiment of the present invention includes the following steps:
1. in the process of attaching to the network, the UE sends AN attach request (attach request) to the AN, and the AN sends the attach request to the AMF.
In the embodiment of the present invention, the attach request includes a user equipment identifier (UE ID), a user equipment security capability, and indication information (indicator) of a security requirement, where the indication information of the security requirement is used to indicate the equipment security requirement and/or a service security requirement; in addition, the attach request may further include a service ID and a UE service ID. The attach request may further include a Data Network identity (DNN), where the DNN represents a Data Network identity that the UE wishes to access. Wherein:
in particular, a user equipment identity (UE ID) is used to characterize the identity of the user equipment that issued the attach request. For example: the UE ID may be one or more of a Media Access Control (MAC) address, an Internet Protocol (IP) address, a Mobile phone number, an International Mobile Equipment Identity (IMEI), an International Mobile Subscriber Identity (IMSI), an IP Multimedia Private Identity (IMPI), a Temporary Mobile Subscriber Identity (TMSI), an IP Multimedia Public Identity (IMPU), a global Unique Temporary UE identity (GUTI), and the like.
Specifically, the security capability of the user equipment is used to characterize security protection algorithms that the user equipment can support, key lengths that the user equipment can support, key update periods that the user equipment can support, and the like. It can be understood that the storage capacity and the operation speed of different user equipments are different, and therefore, the security protection algorithms supported by different user equipments, the supported key lengths, and the supported key update periods are different. For example, the storage capacity of Internet of Things (IoT) devices is not large, the operation speed is not high, and a security protection algorithm with high complexity cannot be supported; the smart phone has large storage capacity and higher operation speed, and can support a safety protection algorithm with higher complexity. Therefore, the user equipment needs to inform the AMF of the security capability of the user equipment, so that the AMF determines the user plane protection mechanism in combination with the security capability of the user equipment.
In the embodiment of the present invention, the security protection algorithm includes a ciphering algorithm and an integrity protection algorithm, for example, the security protection algorithm may be any one of null, AES, Snow 3G, ZUC, and the like, where null represents a null algorithm. The key length may be any one of 64 bits, 96 bits, 128 bits, 192 bits, 256 bits, and so on. The key update time may be any one of 6 hours, 12 hours, 24 hours, 48 hours, and the like. The above security algorithm, key length and key update time are only used as an example and should not be construed as a limitation to the present application.
Specifically, the device security requirement is used to indicate a security requirement of the UE side, that is, the device security requirement is used to indicate to the AMF what user plane protection mechanism the UE needs. In the embodiment of the present invention, the user plane protection mechanism is used to indicate a protection mode of user plane data transmission, for example, to indicate whether the UE needs to perform encryption and/or integrity protection on the user plane data. The user plane protection mechanism may be "encryption required + integrity protection not required"; or "encryption required + integrity protection not required"; or "encryption required + integrity protection required". The encryption means that the user side data becomes unreadable ciphertext after being processed by an encryption algorithm, so that the aim of avoiding illegal stealing and reading of the data is fulfilled. The integrity protection means that after the user plane data is processed by an integrity protection algorithm, the data is not illegally added, deleted, replaced and the like in the transmission process. In addition, in a possible embodiment of the present invention, the user plane protection mechanism may also be used to indicate a security protection algorithm, a key length acceptable to the UE, a key update period acceptable to the UE, and the like.
For example, the user plane protection mechanism may be further configured to indicate a security protection algorithm, including an indication encryption algorithm and an indication integrity protection algorithm, where the indication encryption algorithm specifically includes: specifying which encryption algorithm, including but not limited to null (null algorithm, meaning no encryption is performed), AES, Snow 3G, or ZUC, is used to cryptographically protect the user plane data; the indication integrity protection algorithm specifically comprises: the specification specifies which integrity protection algorithm, including but not limited to null (null algorithm, meaning no integrity protection), AES, Snow 3G, ZUC, HMAC, CMAC, is to be used to integrity protect the user plane data. It is possible that the security protected algorithm in a security requirement comprises a plurality of ciphering algorithms and/or a plurality of integrity protection algorithms; in this case, the security requirements also include the prioritization of the algorithms, i.e., to indicate which algorithm is preferentially used.
Also for example, the key length acceptable to the UE indicated by the user plane protection mechanism includes 64, 128, 256, or 512 bits, etc. As another example, the UE acceptable key update period indicated by the user plane protection mechanism may be 6 hours, 12 hours, 24 hours, 48 hours, and so on.
Specifically, the service security requirement is used for characterizing at least one of a service acceptable security algorithm, an acceptable key length and an acceptable key update period. It will be appreciated that the requirements for security algorithms, key length, and key update period are different for different services. For example, financial services have a high demand on security algorithms, whereas video download services have a low demand on security algorithms. Therefore, the first device needs to inform the AMF of the service security requirement, so that the AMF generates the user plane protection mechanism in combination with the service security requirement.
Specifically, the service ID is used to characterize a service supported by the UE, for example, if the service is a WeChat, the service ID is a WeChat identifier (WeChat ID).
Specifically, the UE service ID is used to represent an identifier of a service that the UE specifically needs to transmit in a service supported by the UE, for example, if the service is a wechat, the UE service ID is a wechat user identifier (wechat user ID).
In a communication architecture, before performing actual service transmission, a UE first needs to attach (attach) to a subscription network to obtain authorization on the subscription network. In a specific application scenario, the UE may trigger AN attach procedure when starting up, and send AN attach request to the AN; the UE may also re-trigger the attach procedure to send AN attach request to the AN when it needs to connect to the network after leaving the network completely for a while. And after receiving the attachment request, the AN forwards the attachment request to the AMF.
2. The AMF sends the UE ID to the AUSF.
In a specific embodiment, the AMF identifies the UE ID in the attach request and sends the UE ID to the AUSF; in another embodiment, the AMF sends the authentication request directly to the AUSF, and the AUSF identifies the UE ID in the authentication request after receiving the authentication request.
3. And the UE and the AUSF are authenticated in a bidirectional mode.
The AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a valid user.
4. The AMF determines the user plane protection mechanism.
In the embodiment of the present invention, the policy control function is deployed in the AMF, and the AMF may determine the user plane protection mechanism in multiple ways:
in a first way, the AMF may determine the user plane protection mechanism according to an indicator. The method comprises the following steps: (1) the AMF obtains the security requirement (i.e. the security requirement of the user equipment) of the user equipment side based on the indicator, and then the AMF can determine the user plane protection mechanism according to the security requirement of the user equipment. (2) The AMF obtains the security requirement of the service (i.e. service security requirement) based on the indicator, and then the AMF can determine the user plane protection mechanism according to the service security requirement.
In a second way, the AMF may determine the user plane protection mechanism according to the UE registration information. Wherein the UE registration information is obtained by the AMF from the UDM. Specifically, after receiving the attach request of the UE, the AMF sends the UE ID to the UDM, and further obtains UE registration information from the UDM, or obtains the UE registration information from the UDM through the AUSF. The registration information is preset in the UDM, and the UE registration information comprises preset UE security requirements. The UE security requirement is used to indicate whether the UE needs ciphering or not, or whether the UE needs integrity protection or not, or whether the UE needs both ciphering and integrity protection.
And in a third mode, the AMF can determine a user plane protection mechanism according to the subscription service data. Specifically, the AMF sends a service ID to the UDM, or sends a data network identifier (DNN) to the UDM; the UDM confirms preset signing service data in the service ID or DNN and sends the related signing service data to the AMF, wherein the signing service data comprise preset service security requirements, and the preset service security requirements are used for indicating what user plane protection mechanism is needed by the service, such as indicating whether the service needs encryption or not, or whether the service needs integrity protection or not, or whether the service needs encryption and integrity protection at the same time.
And fourthly, the AMF can determine a user plane protection mechanism according to the service safety requirement fed back by the AF. Specifically, the PCF sends a request to the AF, the AF feeds back a service security requirement to the PCF based on the request, wherein the request may include at least one of a UE ID, a service UE ID, or a DNN, the PCF sends the service security requirement to the AMF, and the AMF obtains the service security requirement. The service security requirement is used to indicate what user plane protection mechanism is required for the service, for example, to indicate whether the service needs encryption or whether integrity protection is required or whether both encryption and integrity protection are required.
In a specific embodiment of the present invention, the AMF may determine the user plane protection mechanism according to at least one of an indicator (user equipment security requirement and/or service security requirement), UE registration information, subscription service data, and a service security requirement fed back by the AF. That is, the AMF may determine the user plane protection mechanism comprehensively according to the security requirement required by the user equipment side and the security requirement preset by the network side or the security requirement of the service.
5. The AMF sends a user plane protection mechanism to the AN, and correspondingly, the AN receives the user plane protection mechanism.
6. The AN determines a security protection algorithm and determines a user plane protection key.
In a specific embodiment, after obtaining a user plane protection mechanism, AN determines whether the user plane protection mechanism between the UE and the AN needs encryption or not and whether integrity protection is needed or not; then, the AN determines a security protection algorithm according to the UE security capability and the algorithm priority list supported by the AN, for example, when the user plane protection mechanism is "encryption required + integrity protection required", the AN determines that the encryption algorithm is AES and the integrity protection algorithm is AES according to the UE security capability and the algorithm priority list supported by the AN.
In another embodiment, the user plane protection mechanism directly formulates the specified security protection algorithm, and the AN can directly obtain the security protection algorithm from the user plane protection mechanism. In step 5, after determining the user plane protection mechanism, the AMF may obtain AN algorithm priority list supported by the AN, and determine AN air interface protection algorithm based on the algorithm priority list supported by the AN, AN algorithm supported by the UE, and a security capability of the user equipment, for example, in the user plane protection mechanism of "encryption required + integrity protection required", the AMF further determines that the encryption algorithm is AES, the integrity protection algorithm is AES, and carries the security protection algorithm in the user plane protection mechanism. In this case, since the user plane protection mechanism directly specifies the encryption algorithm and the integrity protection algorithm, the AN can directly obtain the encryption algorithm and the integrity protection algorithm from the user plane protection mechanism after obtaining the user plane protection mechanism.
In addition, in the process of implementing the user plane protection mechanism in a specific application scenario, when the user plane protection mechanism includes "encryption is required + integrity protection is required", the user plane data is encrypted and integrity protected by adopting the same security protection algorithm, the same key length and the same key update time, and the user plane data is encrypted and integrity protected by adopting different security protection algorithms, different key lengths and different key update times. For example, in a specific embodiment, when the confidentiality and integrity of the session are protected, for the confidentiality, the adopted security protection algorithm is the Snow 3G algorithm, the key length is 64 bits, and the key update time is 6 hours; for completeness, the adopted safety protection algorithm is a Snow 3G algorithm, the key length is 64 bits, and the key updating time is 6 hours. In another specific embodiment, when the encryption and integrity of the session are protected, for the encryption, the adopted security protection algorithm is a Snow 3G algorithm, the key length is 64 bits, and the key update time is 6 hours; for the integrity, the AN/UE adopts a ZUC algorithm as a security protection algorithm, the key length is 128 bits, and the key updating time is 12 hours.
In AN embodiment of the present invention, the AN may generate the user plane protection key based on a security protection algorithm. Specifically, the AN calculates a key for encryption protection based on the determined encryption algorithm to obtain AN air interface user plane encryption key; or the AN calculates a key for integrity protection based on the determined integrity protection algorithm to obtain AN air interface user plane integrity protection key. The air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a first air interface user plane protection key.
In a specific implementation, a first air interface user plane protection key is KDF (K _ AN, UP algorithm ID), where K _ AN is a key derived by the AMF according to a basic key after authentication or a key derived again after authentication after the authentication is successful, and a base station key (K _ AN may also be referred to as AN intermediate key) derived is sent by the AMF directly to the AN, or the K _ AN is carried in a user plane protection mechanism and sent by the AMF to the AN; the UP algorithm ID can be an identifier of an encryption algorithm and can also be an identifier of an integrity protection algorithm; KDF is a Key Derivation Function (KDF) including, but not limited to, the following cryptographic Derivation functions: HMAC (e.g., HMAC-SHA256, HMAC-SHA1), NMAC, CMAC, OMAC, CBC-MAC, PMAC, UMAC and VMAC, and HASH algorithms, among others. In addition, because the security requirements of the user plane protection mechanism are different, for example, the user plane protection mechanism 1 requires that the length of the protection key is 256 bits; the user plane protection mechanism 2 requires that the length of the protection key is 128 bits; at this time, the first device may use different key derivation algorithms to meet the requirements of different user plane protection mechanisms for different protection key lengths (e.g., using HMAC-SHA1 to generate a 128-bit protection key, and using HMAC-SHA256 to generate a 256-bit protection key).
7. The AN sends a security protection algorithm to the UE, and correspondingly, the UE receives a user plane security protection algorithm.
In a specific embodiment, the AN determines the security protection algorithm in step 6, and then the AN sends the security protection algorithm directly to the UE.
In another embodiment, the user plane protection mechanism itself may include a security protection algorithm, and then the AN may send the user plane protection mechanism to the UE, and the UE obtains the security protection algorithm in the user plane protection mechanism after receiving the user plane protection mechanism.
8. And the UE generates a user plane protection key according to the user plane security algorithm and the K _ AN.
In the embodiment of the invention, the UE can generate the user plane protection key based on the security protection algorithm. Specifically, the UE calculates a key for encryption protection based on the received encryption algorithm to obtain an air interface user plane encryption key; or, the UE calculates a key for integrity protection based on the received integrity protection algorithm, and obtains an air interface user plane integrity protection key. The air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a second air interface user plane protection key.
In a specific implementation, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID), where K _ AN is a base station key derived by the UE according to a basic key after authentication or a key derived again after authentication; the UP algorithm ID can be an identifier of an encryption algorithm and can also be an identifier of an integrity protection algorithm; KDF is a Key Derivation Function (KDF) including, but not limited to, the following cryptographic Derivation functions: HMAC (e.g., HMAC-SHA256, HMAC-SHA1), NMAC, CMAC, OMAC, CBC-MAC, PMAC, UMAC and VMAC, and HASH algorithms, among others.
It can be understood that, in the process of implementing the user plane protection mechanism in a specific application scenario, the first air interface user plane protection key and the second air interface user plane protection key may be the same key. In uplink transmission, the UE may perform encryption protection and/or integrity protection on the user plane data based on the second air interface user plane protection key, and after receiving the user plane data sent by the UE, the AN decrypts and/or performs integrity verification on the user plane data based on the first air interface user plane protection key. In downlink transmission, the AN performs encryption protection and/or integrity protection on user plane data based on a first air interface user plane protection key, and after receiving the user plane data sent by the AN, the UE decrypts and/or performs integrity inspection on the user plane data based on a second air interface user plane protection key.
It should be noted that, in the above method flow of this embodiment, the following embodiments may exist:
possibility 1: if the AMF does not need the information of the indicator in the process of determining the user plane protection mechanism, the UE may not send the indicator to the network side (or the indicator may not be included in the attach request).
Possibility 2: the sequence of the above flow steps is not limited in this embodiment, for example, the AMF may determine the user plane protection mechanism before the bidirectional authentication (i.e., step 4 may be placed before step 3).
It should also be noted that the embodiment of fig. 3 is only used as an example and should not be construed as limiting the invention.
It can be seen that, with the implementation of the embodiment of the present invention, a future 5G-based communication architecture can be implemented, in the process of attaching to a network, the UE-AN completes policy negotiation, determines a user plane protection mechanism according to security requirements (including security requirements of different services) required by the user equipment side and security requirements preset by the network side through the AMF, and the UE and the AN respectively determine a security protection algorithm and a key, thereby implementing security protection on user plane data.
A further key configuration method provided in the embodiment of the present invention is described below from the viewpoint of not distinguishing granularity based on UE-AN, and as shown in fig. 4, the key configuration method provided in the embodiment of the present invention includes the following steps:
1-3, in the process of attaching to the network, the UE sends AN attach request (attach request) to the AN, the AN sends the attach request to the AMF, and the AMF sends the UE ID to the AUSF.
In the embodiment of the present invention, the attach request includes a user equipment identifier (UE ID), a security capability of the user equipment, and indication information (indicator) of security requirement; in addition, the attach request may further include a service ID, a UE service ID, and a DNN. For details of the UE ID, the UE security capability, the indicator, the service ID, the UE service ID, and the DNN, reference may be made to the related description in the embodiment of fig. 3, which is not repeated herein.
In a specific embodiment, the AMF identifies the UE ID in the attach request and sends the UE ID to the AUSF; in another specific embodiment, the AMF directly sends the authentication request to the AUSF, and the AUSF identifies the UE ID in the authentication request after receiving the authentication request, where the authentication request includes the UE ID.
In addition, in a possible embodiment, the AMF may send the UE security capability, the indication information (indicator) of the security requirement, the service ID, the UE service ID, and the DNN to the AUSF according to the requirement of the AUSF; alternatively, the AMF directly forwards the contents of the attach request further to the AUSF.
The AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a valid user.
4. The AUSF determines the user plane protection mechanism.
In the specific embodiment of the present invention, the AUSF may determine the user plane protection mechanism according to at least one of an indicator (user equipment security requirement and/or service security requirement), UE registration information, subscription service data, and service security requirement fed back by the AF. That is, the AUSF may comprehensively determine the user plane protection mechanism according to the security requirement required by the user equipment side and the security requirement or service security requirement preset by the network side. Details of the mechanism for determining the user plane protection by the AUSF may be similarly described with reference to the related contents of the mechanism for determining the user plane protection by the AMF in the embodiment of fig. 3, and are not described herein again.
5. AUSF sends user plane protection mechanism to AMF, AMF sends user plane protection mechanism to AN, and AN receives user plane protection mechanism correspondingly.
6. The AN determines a security protection algorithm and determines a user plane protection key.
For details, reference may be made to the description of step 6 in the embodiment of fig. 3, which is not described herein again.
7. The AN sends a security protection algorithm to the UE, and correspondingly, the UE receives a user plane security protection algorithm.
8. And the UE generates a user plane protection key according to the user plane security algorithm and the K _ AN.
For details, reference may be made to the description of step 8 in the embodiment of fig. 3, which is not described herein again.
It should be noted that, in the above method flow of this embodiment, the following embodiments may exist:
possibility 1: if the AUSF does not need the information of the indicator in the process of determining the user plane protection mechanism, the UE may not send the indicator to the network side (or the indicator may not be included in the attach request).
Possibility 2: in this embodiment, the sequence of the above flow steps is not limited, for example, the AUSF may determine the user plane protection mechanism before the bidirectional authentication.
It should also be noted that, where the embodiment in fig. 4 is not described in detail, reference may be made to the description related to the embodiment in fig. 3, and the embodiment in fig. 4 is only used as an example and should not be construed as a limitation to the present invention.
It can be seen that the main difference between the embodiment in fig. 4 and the embodiment in fig. 3 is that, in the process of attaching to the network, the AUSF determines the user plane protection mechanism according to the security requirements (including the security requirements of different services) required by the user equipment side and the security requirements preset by the network side.
By implementing the embodiment of the invention, a communication architecture based on the future 5G can be realized, in the process of network attachment, the UE-AN finishes strategy negotiation, and after a user plane protection mechanism is determined through AUSF, the UE and the AN respectively determine a security protection algorithm and a key, thereby realizing the security protection of user plane data.
A further key configuration method provided in the embodiment of the present invention is described below from the viewpoint of not distinguishing granularity based on UE-AN, and as shown in fig. 5, the key configuration method provided in the embodiment of the present invention includes the following steps:
1-3, in the process of attaching to the network, the UE sends AN attach request (attach request) to the AN, the AN sends the attach request to the AMF, and the AMF sends the UE ID to the AUSF.
In the embodiment of the present invention, the attach request includes a user equipment identifier (UE ID), a security capability of the user equipment, and indication information (indicator) of security requirement; in addition, the attach request may further include a service ID, a UE service ID, and a DNN.
In a specific embodiment, the AMF identifies the UE ID in the attach request and sends the UE ID to the AUSF; in another specific embodiment, the AMF directly sends the authentication request to the AUSF, and the AUSF identifies the UE ID in the authentication request after receiving the authentication request, where the authentication request includes the UE ID.
The AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a valid user.
4. The AMF sends a session request to the SMF, and correspondingly, the SMF receives the session request.
The session request is for requesting that a session be established between the AMF and the SMF. For example, if the session is established by the session establishment protocol, the session request is the session establishment request signaling.
The session request includes at least a session identification (session ID).
5. The SMF sends SMF response information to the AMF, the AMF sends the SMF response information to the AN, and correspondingly, the AN receives the SMF response information.
The SMF response information may include security requirements preset by the network side, for example, UE registration information fed back by the UDM, or subscription service data fed back by the UDM, or service security requirements fed back by the AF, and the like, and the SMF response information may further include AN authentication result of secondary authentication between the UE and the data network DN, for example, based on the session request, after the UE performs secondary authentication with the data network DN through the SMF, the SMF writes the authentication result into the SMF response information, and then sends the SMF response information to the AN, and after obtaining the authentication result, if the authentication result is found to be correct (i.e., passes authentication), the AN executes the following procedure of determining the user plane protection mechanism; if the authentication result is found to be incorrect (i.e., authenticated), the following flow of determining the user plane protection mechanism is not performed.
6. The AN determines the user plane protection mechanism.
In the specific embodiment of the present invention, the AN may determine the user plane protection mechanism according to at least one of AN indicator (user equipment security requirement and/or service security requirement), UE registration information, subscription service data, and service security requirement fed back by the AF. That is, the AN may determine the user plane protection mechanism comprehensively according to the security requirement required by the user equipment side and the security requirement or service security requirement preset by the network side. Details of the determination of the user plane protection mechanism by the AN may be similarly described with reference to the related contents of the determination of the user plane protection mechanism by the AMF in the embodiment of fig. 3, and are not described herein again.
7. The AN determines a security protection algorithm and determines a user plane protection key.
For details, reference may be made to the description of step 6 in the embodiment of fig. 3, which is not described herein again.
8. The AN sends a security protection algorithm to the UE, and correspondingly, the UE receives a user plane security protection algorithm.
9. And the UE generates a user plane protection key according to the user plane security algorithm and the K _ AN.
For details, reference may be made to the description of step 8 in the embodiment of fig. 3, which is not described herein again.
It should be noted that, in the above method flow of this embodiment, the following embodiments may exist:
Possibility 1: if the AN does not need the information of the indicator in the process of determining the user plane protection mechanism, the UE may not send the indicator to the network side (or the indicator may not be included in the attach request).
Possibility 2: in this embodiment, the sequence of the above flow steps is not limited, for example, the AN may determine the user plane protection mechanism before step 4 (the AMF sends the session request to the SMF).
Possibility 3: in step 4, the session establishment procedure may also be initiated by the UE, that is, the UE sends a session request to the SMF through the AMF.
It should be noted that, where the embodiment in fig. 5 is not described in detail, reference may be made to the description related to the embodiment in fig. 3, and the embodiment in fig. 5 is only used as an example and should not be construed as a limitation to the present invention.
It can be seen that the main difference between the embodiment in fig. 5 and the embodiment in fig. 3 is that the AN determines the user plane protection mechanism according to the security requirements (including the security requirements of different services) required by the user equipment side and the security requirements preset by the network side in the relevant flow of session establishment.
By implementing the embodiment of the invention, based on a future 5G communication architecture, in a session establishment process, UE-AN completes policy negotiation, and after the AN determines a user plane protection mechanism, the UE and the AN respectively determine a security protection algorithm and a key, thereby realizing the security protection of user plane data.
A further key configuration method provided in the embodiment of the present invention is described below from the viewpoint of not distinguishing granularity based on UE-AN, and as shown in fig. 6, the key configuration method provided in the embodiment of the present invention includes the following steps:
1-3, in the process of attaching to the network, the UE sends AN attach request (attach request) to the AN, the AN sends the attach request to the AMF, and the AMF sends the UE ID to the AUSF.
In the embodiment of the present invention, the attach request includes a user equipment identifier (UE ID), a security capability of the user equipment, and indication information (indicator) of security requirement; in addition, the attach request may further include a service ID, a UE service ID, and a DNN.
In a specific embodiment, the AMF identifies the UE ID in the attach request and sends the UE ID to the AUSF; in another specific embodiment, the AMF directly sends the authentication request to the AUSF, and the AUSF identifies the UE ID in the authentication request after receiving the authentication request, where the authentication request includes the UE ID.
The AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a valid user.
4. The AMF sends a session request to the SMF, and correspondingly, the SMF receives the session request.
The session request is for requesting that a session be established between the AMF and the SMF. For example, if the session is established by the session establishment protocol, the session request is the session establishment request signaling.
The session request includes at least a session identification (session ID).
5. And the UE and the DN carry out secondary authentication.
Specifically, based on the session request, the UE performs secondary authentication through the SMF and the DN, and if the authentication passes, the authentication result is correct, and if the authentication fails, the authentication result is wrong, and the SMF may obtain the authentication result.
It should be noted that this step is an optional step.
6. The SMF sends an SMF response message to the AMF.
Specifically, the SMF generates SMF response information.
The SMF response information may include security requirements preset by the network side, for example, UE registration information fed back by the UDM, or subscription service data fed back by the UDM, or service security requirements fed back by the AF, and the like, so that the AMF may further determine the user plane protection mechanism according to the security requirements in the SMF response information after obtaining the SMF response information.
In addition, the SMF response message may further include an authentication result of secondary authentication between the UE and the data network DN, for example, based on the session request, after the UE performs secondary authentication with the data network DN through the SMF, the SMF writes the authentication result into the SMF response message, and then sends the SMF response message to the AMF, after the AMF knows the authentication result, if the authentication result is found to be correct (i.e., passing authentication), the following procedure of determining the user plane protection mechanism is executed; if the authentication result is found to be incorrect (i.e., authenticated), the following flow of determining the user plane protection mechanism is not performed.
7. The AMF determines the user plane protection mechanism.
In a specific embodiment of the present invention, the AMF may determine the user plane protection mechanism according to at least one of an indicator (user equipment security requirement and/or service security requirement), UE registration information, subscription service data, and a service security requirement fed back by the AF. That is, the AMF may determine the user plane protection mechanism comprehensively according to the security requirement required by the user equipment side and the security requirement or service security requirement preset by the network side. In addition, the AMF may also determine whether to determine the user plane protection mechanism according to relevant security requirements (such as service security fed back by the AF), determine whether to perform a step of determining the user plane protection mechanism, and so on, according to the SMF response message (including the authentication result). For details of the AMF-specific user plane protection mechanism in this embodiment, reference may also be made to the description of the AMF-specific user plane protection mechanism in the embodiment in fig. 3, which is not described herein again.
8. The AMF sends the user plane protection mechanism to the AN.
9. The AN determines a security protection algorithm and determines a user plane protection key.
For details, reference may be made to the description of step 6 in the embodiment of fig. 3, which is not described herein again.
10. The AN sends a security protection algorithm to the UE, and correspondingly, the UE receives a user plane security protection algorithm.
11. And the UE generates a user plane protection key according to the user plane security algorithm and the K _ AN.
For details, reference may be made to the description of step 8 in the embodiment of fig. 3, which is not described herein again.
It should be noted that, in the above method flow of this embodiment, the following embodiments may exist:
possibility 1: if the AMF does not need the information of the indicator in the process of determining the user plane protection mechanism, the UE may not send the indicator to the network side (or the indicator may not be included in the attach request).
Possibility 2: the sequence of the above flow steps is not limited in this embodiment, for example, the AMF may determine the user plane protection mechanism before step 4.
Possibility 3: in step 4, the session establishment procedure may also be initiated by the UE, that is, the UE sends a session request to the SMF through the AMF.
It should be noted that, where the embodiment in fig. 6 is not described in detail, reference may be made to the description related to the embodiment in fig. 3, and the embodiment in fig. 4 is only used as an example and should not be construed as a limitation to the present invention.
It can be seen that the main difference between the embodiment in fig. 6 and the embodiment in fig. 3 is that the AMF determines the user plane protection mechanism according to the security requirements (including the security requirements of different services) required by the user equipment side and the security requirements preset by the network side in the relevant flow of session establishment.
By implementing the embodiment of the invention, a communication architecture based on the future 5G can be realized, in the session establishment process, the UE-AN completes the strategy negotiation, and after the user plane protection mechanism is determined through the AMF, the UE and the AN respectively determine the security protection algorithm and the key, thereby realizing the security protection of the user plane data.
A further key configuration method provided in the embodiment of the present invention is described below from the viewpoint of not distinguishing granularity based on UE-AN, and as shown in fig. 7, the key configuration method provided in the embodiment of the present invention includes the following steps:
1-3, in the process of attaching to the network, the UE sends AN attach request (attach request) to the AN, the AN sends the attach request to the AMF, and the AMF sends the UE ID to the AUSF.
In the embodiment of the present invention, the attach request includes a user equipment identifier (UE ID), a security capability of the user equipment, and indication information (indicator) of security requirement; in addition, the attach request may further include a service ID, a UE service ID, and a DNN.
In a specific embodiment, the AMF identifies the UE ID in the attach request and sends the UE ID to the AUSF; in another specific embodiment, the AMF directly sends the authentication request to the AUSF, and the AUSF identifies the UE ID in the authentication request after receiving the authentication request, where the authentication request includes the UE ID.
The AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a valid user.
4. UE sends session request to SMF through AN and AMF, and SMF receives the session request correspondingly.
The session request is for requesting that a session be established between the UE and the SMF. For example, if the session is established by the session establishment protocol, the session request is the session establishment request signaling.
The session request at least includes a session identifier (session ID), and optionally, the session request may further include a user equipment identifier (UE ID), an indication information (indicator) of security requirement, or a DNN, a service ID, a UE service ID, and the like. The UE service ID may be carried in a session request when the UE establishes a session, where the UE service ID is a user equipment identity (UE ID), or an indicator of security requirement (indicator), or DNN and a service ID.
5. Optionally, the UE performs secondary authentication with the DN.
6. The SMF determines the user plane protection mechanism.
In the specific embodiment of the present invention, the SMF may determine the user plane protection mechanism according to one, two, three, or all of an indicator (user equipment security requirement and/or service security requirement), UE registration information, subscription service data, and service security requirement fed back by the AF. That is, the SMF may comprehensively determine the user plane protection mechanism according to the security requirement required by the user equipment side, the security requirement preset by the network side, or the security requirement of the service. Specifically, the SMF may obtain the UE registration information from the UDM by sending at least one of a UE ID, a service UE ID, or a DNN to the UDM. The SMF may obtain subscription service data from the UDM by sending at least one of a UE ID, a service UE ID, or a DNN to the UDM. The SMF sends a request to the PCF, the PCF sends the request to the AF, the AF feeds back service safety requirements to the PCF based on the request, wherein the request can comprise at least one item of UE ID, service UE ID or DNN, the PCF sends the service safety requirements to the SMF, and then the SMF obtains the service safety requirements. The service security requirement is used to indicate what user plane protection mechanism is required for the service, for example, to indicate whether the service needs encryption or whether integrity protection is required or whether both encryption and integrity protection are required.
7. The SMF sends the user plane protection mechanism to the AMF, the AMF sends the user plane protection mechanism to the AN, and correspondingly, the AN receives the user plane protection mechanism.
8. The AN determines a security protection algorithm and determines a user plane protection key.
For details, reference may be made to the description of step 6 in the embodiment of fig. 3, which is not described herein again.
9. The AN sends a security protection algorithm to the UE, and correspondingly, the UE receives a user plane security protection algorithm.
10. And the UE generates a user plane protection key according to the user plane security algorithm and the K _ AN.
For details, reference may be made to the description of step 8 in the embodiment of fig. 3, which is not described herein again.
It should be noted that, in the above method flow of this embodiment, the following embodiments may exist:
possibility 1: if the SMF does not need the information of the indicator in the process of determining the user plane protection mechanism, the UE may not send the indicator to the network side (or the indicator may not be included in the attach request).
Possibility 2: in this embodiment, the sequence of the above flow steps is not limited, for example, the SMF may determine the user plane protection mechanism before step 5.
Possibility 3: in step 4, the session establishment procedure may also be initiated by the AMF, i.e. the AMF sends a session request to the SMF. In this case, the session request at least includes a session identifier (session ID), and optionally, the session request may further include a user equipment identifier (UE ID), an indication information (indicator) of security requirement, or a DNN, a service ID, a UE service ID, and the like. The UE service ID may be obtained by the AMF from a received attach request, where the attach request carries the information.
Possibility 4: the SMF determines the user plane protection mechanism, which may refer to the AMF determining the user plane protection mechanism in the embodiment of fig. 3.
Possibility 5: the method for deriving the user plane protection key by the AN and the UE may also be based on the method of fig. 12, including a method based on session ID, slice ID, flow ID, or DRB ID. And after the DRB ID is selected as AN, sending the selected DRB ID to the UE.
It should be noted that, where the embodiment in fig. 7 is not described in detail, reference may be made to the description related to the embodiment in fig. 3, and the embodiment in fig. 7 is only used as an example and should not be construed as a limitation to the present invention.
It can be seen that the main difference between the embodiment in fig. 7 and the embodiment in fig. 3 is that the SMF determines the user plane protection mechanism according to the security requirements (including the security requirements of different services) required by the user equipment side and the security requirements preset by the network side in the session establishment procedure.
By implementing the embodiment of the invention, a communication architecture based on the future 5G can be realized, in the session establishment process, the UE-AN completes the strategy negotiation, and after the user plane protection mechanism is determined through the SMF, the UE and the AN respectively determine the security protection algorithm and the key, thereby realizing the security protection of the user plane data.
A key configuration method provided in the embodiment of the present invention is described below from the viewpoint of not distinguishing granularity based on UE-CN, and as shown in fig. 8, the key configuration method provided in the embodiment of the present invention includes the following steps:
1-3, in the process of attaching to the network, the UE sends AN attach request (attach request) to the AN, the AN sends the attach request to the AMF, and the AMF sends the UE ID to the AUSF.
In the embodiment of the present invention, the attach request includes a user equipment identifier (UE ID), a security capability of the user equipment, and indication information (indicator) of security requirement; in addition, the attach request may further include a service ID, a UE service ID, and a DNN.
In a specific embodiment, the AMF identifies the UE ID in the attach request and sends the UE ID to the AUSF; in another specific embodiment, the AMF directly sends the authentication request to the AUSF, and the AUSF identifies the UE ID in the authentication request after receiving the authentication request, where the authentication request includes the UE ID.
And the AUSF executes authentication with the UE based on the UE ID in the attachment request, and determines that the UE is a legal user.
4. The AMF determines the user plane protection mechanism.
In a specific embodiment of the present invention, the AMF may determine the user plane protection mechanism according to at least one of an indicator (user equipment security requirement and/or service security requirement), UE registration information, subscription service data, and a service security requirement fed back by the AF. That is, the AMF may determine the user plane protection mechanism comprehensively according to the security requirement required by the user equipment side and the security requirement or service security requirement preset by the network side. For details of the AMF-specific user plane protection mechanism in this embodiment, reference may be made to the description of the AMF-specific user plane protection mechanism in the embodiment in fig. 3, which is not described herein again.
5. AMF sends session request and user plane protection mechanism to SMF, correspondingly, SMF receives the session request and user plane protection mechanism.
The session request is for requesting that a session be established between the AMF and the SMF. For example, if the session is established by the session establishment protocol, the session request is the session establishment request signaling. The session request includes at least a session identification (session ID).
In a specific implementation, in an embodiment, the user plane protection mechanism is carried in the session request, that is, the AMF sends the session request to the SMF, where the session request includes the user plane protection mechanism.
In another embodiment, the AMF sends a session request and a user plane protection mechanism to the SMF, respectively.
6. And the UE and the DN carry out secondary authentication.
7. The SMF determines a security protection algorithm and determines a user plane protection key.
In a specific embodiment, if the user plane protection mechanism only includes a description of whether to encrypt/whether to perform integrity protection, the SMF determines whether the user plane protection mechanism between the UE and CN needs to encrypt and whether to perform integrity protection, and then the SMF determines a security protection algorithm according to the received UE security capability and an algorithm priority list supported by the UPF, where the algorithm priority list supported by the UPF may be preset in the SMF or preset in the UPF, and the SMF obtains the algorithm priority list supported by the UPF from the UPF. For example, when the user plane protection mechanism is "encryption required + integrity protection required", the SMF determines that the encryption algorithm is AES and the integrity protection algorithm is AES according to the UE security capability, the algorithm priority list supported by the UPF, and the algorithm supported by the UE.
In another embodiment, the user plane protection mechanism directly formulates a designated security protection algorithm, and the SMF may directly obtain the security protection algorithm from the user plane protection mechanism. In step 4, after determining the user plane protection mechanism, the AMF may determine an air interface protection algorithm based on an algorithm priority list supported by the UPF, an algorithm supported by the UE, and a security capability of the UE, where the algorithm priority list supported by the UPF may be preset in the AMF or preset in the UPF, and the AMF obtains the algorithm priority list supported by the UPF from the UPF. For example, under a user plane protection mechanism of "need to encrypt + need to integrity protect", the AMF further determines that the encryption algorithm is AES, and the integrity protection algorithm is AES, and carries the security protection algorithm in the user plane protection mechanism. In this case, since the user plane protection mechanism directly specifies the encryption algorithm and the integrity protection algorithm, the SMF can directly acquire the encryption algorithm and the integrity protection algorithm from the user plane protection mechanism after acquiring the user plane protection mechanism.
In a possible embodiment, after determining the security protection algorithm, the SMF may further determine a user plane protection key, specifically:
The user plane protection key KDF (K _ SMF, UP algorithm ID),
alternatively, the user plane protection key is KDF (K _ SMF, UP algorithm ID, flow ID),
alternatively, the user plane protection key is KDF (K _ SMF, UP algorithm ID, session ID),
or, the user plane protection key is KDF (K _ SMF, UP algorithm ID, DRB ID);
and K _ SMF is a key derived by AMF according to the key after authentication or the key derived again after authentication. Specifically, the AMF sends K _ SMF to SMF; or after the K _ SMF is successfully authenticated, the AUSF derives the key according to the key after authentication or the key derived again after authentication, and the AUSF sends the K _ SMF to the SMF. The UP algorithm ID may be an encryption algorithm ID or an integrity protection algorithm ID.
8. SMF sends security protection algorithm or user surface protection key to UPF, and UPF receives security protection algorithm or user surface protection key correspondingly.
In a possible embodiment, if the UPF receives only the security protection algorithm and does not receive the user plane protection key, the UPF may calculate a user plane protection key (refer to the above-mentioned related description) based on the security protection algorithm and the K _ SMF, where the user plane protection key is the user plane protection key of the UPF. After the K _ SMF is successfully authenticated, the AMF derives a key according to the authenticated key or a key derived again after authentication, and specifically, the AMF sends the K _ SMF to the UPF; or after the K _ SMF is successfully authenticated, the AUSF derives the key according to the key after authentication or the key derived again after authentication, and the AUSF sends the K _ SMF to the UPF.
In a possible embodiment, if the UPF receives the user plane protection key, the user plane protection key is taken as the user plane protection key of the UPF.
9. The SMF sends a security protection algorithm to the AMF.
It should be noted that, if the security protection algorithm is determined by the SMF according to the received UE security capability, the algorithm priority list supported by the UPF, and the like, the SMF sends the security protection algorithm to the AMF;
optionally, the SMF sends a security protection algorithm to the AMF, specifically: and the SMF sends a session response to the AMF, wherein the session response carries a security protection algorithm.
It should be noted that if the security protection algorithm is determined by the AMF based on the UPF supported algorithm priority list, the UE supported algorithms, and the UE security capability, the SMF does not need to send the security protection algorithm to the AMF.
10. The AMF sends a security protection algorithm and a user plane protection mechanism to the AN, wherein the user plane protection mechanism is optional.
11. And the AN sends a security protection algorithm and a user plane protection mechanism to the UE, wherein the user plane protection mechanism is optional.
12. And the UE generates a user plane protection key according to the user plane security algorithm, the user plane protection mechanism and the K _ SMF. Or the UE generates a user plane protection key according to the user plane security algorithm and the K _ SMF.
In a possible embodiment, after receiving the security protection algorithm, the UE may further determine a user plane protection key, where the user plane protection key is the user plane protection key of the UE, specifically:
the user plane protection key KDF (K _ SMF, UP algorithm ID),
alternatively, the user plane protection key is KDF (K _ SMF, UP algorithm ID, flow ID),
alternatively, the user plane protection key is KDF (K _ SMF, UP algorithm ID, session ID),
or, the user plane protection key is KDF (K _ SMF, UP algorithm ID, DRB ID);
or adding user plane protection mechanism parameters in the derivation function input. After the authentication is successful, the UE derives a key according to the authenticated key or a key derived again after the authentication, and specifically, the AMF sends the K _ SMF to the UE; or after the K _ SMF is successfully authenticated, the AUSF derives the key according to the authenticated key or the key derived again after authentication, and the AUSF sends the K _ SMF to the UE. The UP algorithm ID may be an encryption algorithm ID or an integrity protection algorithm ID.
It should be noted that, in the above method flow of this embodiment, the following embodiments may exist:
possibility 1: if the AMF does not need the information of the indicator in the process of determining the user plane protection mechanism, the UE may not send the indicator to the network side (or the indicator may not be included in the attach request).
Possibility 2: in this embodiment, the order of the above process steps is not limited, for example, step 8 and step 9 may be performed simultaneously, and step 8 may also be placed before or after step 9.
Possibility 3: in step 4, the session establishment procedure may also be initiated by the UE, that is, the UE sends a session request to the SMF through the AMF.
Possibility 4: if the user plane protection mechanism comprises a specific security protection algorithm, the AMF can also send the user plane protection mechanism to the UPF through the SMF, and the UPF acquires the security protection algorithm in the user plane protection mechanism.
Possibility 5: if the user plane protection mechanism does not include the security protection algorithm, then steps 7-12 can also implement security protection by:
(alternative steps 7, 8) the SMF calculates a first K _ UP, K _ UP ═ KDF (K _ SMF, session ID); or K _ UP ═ KDF (K _ SMF, QoS flow ID);
(alternative step 9) the SMF sends the session ID, QFI and user plane protection mechanism to the AMF.
(alternative step 10) AMF sends session ID, QFI and user plane protection mechanism to AN;
(alternative step 11) the AN sends the session ID, QFI and user plane protection mechanism to the UE;
(alternative step 12) the UE generates a second K _ UP based on the K _ SMF. And K _ SMF is a key derived by the UE according to the key after authentication or the key derived again after authentication.
(addition step 13) the UPF and the UE negotiate a security protection algorithm based on the session ID, QFI and the user plane protection mechanism, and then generate a user plane protection key of the UPF and a user plane protection key of the UE based on the first K _ UP and the second K _ UP, respectively.
It should be noted that, where the embodiment in fig. 8 is not described in detail, reference may be made to the description related to the embodiment in fig. 3, and the embodiment in fig. 8 is only used as an example and should not be construed as a limitation to the present invention.
It can be seen that the main difference between the embodiment in fig. 8 and the embodiment in fig. 3 is that, in an application scenario of the UE-CN, the AMF determines a user plane protection mechanism according to security requirements (including security requirements of different services) required by the user equipment side and security requirements preset by the network side in a relevant procedure of session establishment.
By implementing the embodiment of the invention, a communication architecture based on the future 5G can be realized, in the session establishment process, the UE-CN completes the strategy negotiation, and after the user plane protection mechanism is determined by the AMF, the UE and the CN respectively determine the user plane protection key, thereby realizing the safety protection of the user plane data. The embodiment of the invention can realize the network security protection between the UE and the core network, avoid the defect of hop-by-hop segmented protection mode and improve the security of user plane data transmission.
A key configuration method provided in the embodiment of the present invention is described below from the viewpoint of not distinguishing granularity based on UE-CN, and as shown in fig. 9, the key configuration method provided in the embodiment of the present invention includes the following steps:
1-3, in the process of attaching to the network, the UE sends AN attach request (attach request) to the AN, the AN sends the attach request to the AMF, and the AMF sends the UE ID to the AUSF.
In the embodiment of the present invention, the attach request includes a user equipment identifier (UE ID), a security capability of the user equipment, and indication information (indicator) of security requirement; in addition, the attach request may further include a service ID, a UE service ID, and a DNN.
In a specific embodiment, the AMF identifies the UE ID in the attach request and sends the UE ID to the AUSF; in another specific embodiment, the AMF directly sends the authentication request to the AUSF, and the AUSF identifies the UE ID in the authentication request after receiving the authentication request, where the authentication request includes the UE ID.
And the AUSF executes authentication with the UE based on the UE ID in the attachment request, and determines that the UE is a legal user.
4. The AUSF determines the user plane protection mechanism.
In the specific embodiment of the present invention, the AUSF may determine the user plane protection mechanism according to at least one of an indicator (user equipment security requirement and/or service security requirement), UE registration information, subscription service data, and service security requirement fed back by the AF. That is, the AUSF may comprehensively determine the user plane protection mechanism according to the security requirement required by the user equipment side and the security requirement or service security requirement preset by the network side. For details of the AUSF-determined user plane protection mechanism in this embodiment, reference may be made to the description of the relevant contents of the AMF-determined user plane protection mechanism in the embodiment in fig. 3, which is not described herein again.
5. AUSF sends user plane protection mechanism to SMF, and SMF receives the user plane protection mechanism correspondingly.
6. The AMF sends a session request to the SMF, and correspondingly, the SMF receives the session request.
The session request is for requesting that a session be established between the AMF and the SMF. For example, if the session is established by the session establishment protocol, the session request is the session establishment request signaling. The session request includes at least a session identification (session ID).
7. Optionally, the UE performs secondary authentication with the DN.
8. The SMF determines a security protection algorithm and determines a user plane protection key.
The details can be referred to the related description of step 7 in the embodiment of fig. 8.
9. SMF sends security protection algorithm and user plane protection key to UPF, and UPF receives security protection algorithm and user plane protection key. Wherein the security protection algorithm is optional.
10. SMF sends safety protection algorithm and user surface protection mechanism to AMF. Wherein the user plane protection mechanism is optional.
11. The AMF sends a security protection algorithm and a user plane protection mechanism to the AN. Wherein the user plane protection mechanism is optional.
12. The AN sends a security protection algorithm and a user plane protection mechanism to the UE. Wherein the user plane protection mechanism is optional.
13. And the UE generates a user plane protection key according to the user plane security algorithm, the user plane protection mechanism and the K _ SMF. Or the UE generates a user plane protection key according to the user plane security algorithm and the K _ SMF.
Where not described in detail in this embodiment, reference may be made to the description relating to the embodiment of fig. 8.
It should be noted that, in the above method flow of this embodiment, the following embodiments may exist:
possibility 1: if the AMF does not need the information of the indicator in the process of determining the user plane protection mechanism, the UE may not send the indicator to the network side (or the indicator may not be included in the attach request).
Possibility 2: in this embodiment, the order of the above process steps is not limited, for example, step 9 and step 10 may be performed simultaneously, and step 8 may also be placed before or after step 9.
Possibility 3: in step 4, the session establishment procedure may also be initiated by the UE, that is, the UE sends a session request to the SMF through the AMF.
Possibility 4: if the user plane protection mechanism comprises a specific security protection algorithm, the AUSF may also send the user plane protection mechanism to the UPF through the SMF, and the UPF obtains the security protection algorithm in the user plane protection mechanism.
Possibility 5: if the user plane protection mechanism does not include the security protection algorithm, then steps 7-12 can also implement security protection by:
(alternative steps 8 and 9) the SMF sends the session ID, QFI, and user plane protection key to the UPF; in addition, the UPF also obtains a first K _ SMF, where the AMF derives a key according to the authenticated key or a key derived again after authentication after the first K _ SMF is successfully authenticated. Specifically, the AMF sends K _ SMF to UPF; or after the K _ SMF is successfully authenticated, the AUSF derives the key according to the key after authentication or the key derived again after authentication, and the AUSF sends the K _ SMF to the UPF.
(alternative step 10) the SMF sends the session ID, QFI and user plane protection mechanism to the AMF;
(alternative step 11) AMF sends session ID, QFI and user plane protection mechanism to AN;
(alternative step 12) the AN sends the session ID, QFI and user plane protection mechanism to the UE;
(replacing step 13) the UPF and the UE negotiate a security protection algorithm based on the session ID, QFI and the user plane protection mechanism, and then generate a user plane protection key of the UPF and a user plane protection key of the UE based on the first K _ SMF and the second K _ SMF respectively. And after the second K _ SMF is successfully authenticated, the AMF derives the key according to the authenticated key or the key derived again after authentication. Specifically, the AMF sends K _ SMF to the UE; or after the K _ SMF is successfully authenticated, the AUSF derives the key according to the authenticated key or the key derived again after authentication, and the AUSF sends the K _ SMF to the UE.
It should be noted that, where the embodiment in fig. 8 is not described in detail, reference may be made to the description related to the embodiment in fig. 3, and the embodiment in fig. 8 is only used as an example and should not be construed as a limitation to the present invention.
It can be seen that the main difference between the embodiment in fig. 9 and the embodiment in fig. 8 is that the AUSF determines the user plane protection mechanism according to the security requirements (including the security requirements of different services) required by the user equipment side and the security requirements preset by the network side in the relevant flow of session establishment.
By implementing the embodiment of the invention, a communication framework based on the future 5G can be realized, in the session establishment process, the UE-CN completes the strategy negotiation, and after the user plane protection mechanism is determined through the AUSF, the UE and the CN respectively determine the user plane protection key, thereby realizing the safety protection of the user plane data. The embodiment of the invention can realize the network security protection between the UE and the core network, avoid the defect of hop-by-hop segmented protection mode and improve the security of user plane data transmission.
A key configuration method provided in the embodiment of the present invention is described below from the viewpoint of not distinguishing granularity based on UE-CN, and as shown in fig. 10, the key configuration method provided in the embodiment of the present invention includes the following steps:
1-3, in the process of attaching to the network, the UE sends AN attach request (attach request) to the AN, the AN sends the attach request to the AMF, and the AMF sends the UE ID to the AUSF.
In the embodiment of the present invention, the attach request includes a user equipment identifier (UE ID), a security capability of the user equipment, and indication information (indicator) of security requirement; in addition, the attach request may further include a service ID, a UE service ID, and a DNN.
In a specific embodiment, the AMF identifies the UE ID in the attach request and sends the UE ID to the AUSF; in another specific embodiment, the AMF directly sends the authentication request to the AUSF, and the AUSF identifies the UE ID in the authentication request after receiving the authentication request, where the authentication request includes the UE ID.
And the AUSF executes authentication with the UE based on the UE ID in the attachment request, and determines that the UE is a legal user.
4. The AMF sends a session request to the SMF, and correspondingly, the SMF receives the session request.
The session request is for requesting that a session be established between the UE and the SMF. For example, if the session is established by the session establishment protocol, the session request is the session establishment request signaling.
The session request at least includes a session identifier (session ID), and optionally, the session request may further include a user equipment identifier (UE ID), an indication information (indicator) of security requirement, or a DNN, a service ID, a UE service ID, and the like. The UE service ID may be carried in a session request when the UE establishes a session, where the UE service ID is a user equipment identity (UE ID), or an indicator of security requirement (indicator), or DNN and a service ID.
5. Optionally, the UE performs secondary authentication with the DN.
6. The SMF determines the user plane protection mechanism.
In the specific embodiment of the present invention, the SMF may determine the user plane protection mechanism according to at least one of an indicator (user equipment security requirement and/or service security requirement), UE registration information, subscription service data, and service security requirement fed back by the AF. That is, the SMF may determine the user plane protection mechanism comprehensively according to the security requirement required by the user equipment side and the security requirement or service security requirement preset by the network side. Details of the SMF-specific user plane protection mechanism may be similarly described with reference to the AMF-specific user plane protection mechanism in the embodiment of fig. 3, and are not described herein again.
7. The SMF determines a security protection algorithm and determines a user plane protection key.
The details can be referred to the description of step 7 of the embodiment of fig. 8.
8. SMF sends security protection algorithm or user surface protection key to UPF, and UPF receives security protection algorithm or user surface protection key correspondingly.
9. The SMF sends a security protection algorithm to the AMF.
10. The AMF sends a security protection algorithm and a user plane protection mechanism to the AN. Wherein the user plane protection mechanism is optional.
11. A N sends the security protection algorithm, user plane protection mechanism to the UE. Wherein the user plane protection mechanism is optional.
12. And the UE generates a user plane protection key according to the user plane security algorithm, the user plane protection mechanism and the K _ SMF. Or the UE generates a user plane protection key according to the user plane security algorithm and the K _ SMF.
It should be noted that, where not described in detail in this embodiment, reference may be made to the description related to the embodiment in fig. 8.
It should be further noted that, in the above method flow of this embodiment, the following embodiments may exist:
possibility 1: if the SMF does not need the information of the indicator in the process of determining the user plane protection mechanism, the UE may not send the indicator to the network side (or the indicator may not be included in the attach request).
Possibility 2: in this embodiment, the sequence of the above flow steps is not limited, for example, the SMF may determine the user plane protection mechanism before step 5. For example, step 8 and step 9 may be performed simultaneously, and step 8 may be placed before or after step 9.
Possibility 3: in step 4, the session establishment procedure may also be initiated by the UE, that is, the UE sends a session request to the SMF through the AMF.
Possibility 4: if the user plane protection mechanism comprises a specific security protection algorithm, the SMF may also send the user plane protection mechanism to the UPF, and the UPF obtains the security protection algorithm in the user plane protection mechanism.
The embodiment of fig. 10 is provided as an example only and should not be construed as limiting the invention.
It can be seen that the main difference between the embodiment of fig. 10 and the embodiment of fig. 8 is that, in the relevant flow of session establishment, the SMF determines the user plane protection mechanism according to the security requirements (including the security requirements of different services) required by the user equipment side and the security requirements preset by the network side.
By implementing the embodiment of the invention, a communication architecture based on the future 5G can be realized, in the session establishment process, the UE-CN completes the strategy negotiation, and after the user plane protection mechanism is determined through the SMF, the UE and the CN respectively determine the user plane protection key, thereby realizing the safety protection of the user plane data. The embodiment of the invention can realize the network security protection between the UE and the core network, avoid the defect of hop-by-hop segmented protection mode and improve the security of user plane data transmission.
A flow-based key configuration method provided in the embodiment of the present invention is described below from the viewpoint of granularity differentiation based on UE-AN, and as shown in fig. 11, the flow-based key configuration method provided in the embodiment of the present invention includes the following steps:
1-3, in the process of attaching the network, the UE sends AN attachment request to the AUSF through the AN and the AMF,
The AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a valid user.
4. The UE sends a session request to the SMF through the AMF, and correspondingly, the SMF receives the session request.
The session request is for requesting that a session be established between the UE and the SMF. For example, if the session is established by the session establishment protocol, the session request is the session establishment request signaling.
5. The SMF sends a policy request to the PCF.
In the embodiment of the invention, the function of policy control is deployed in the PCF, and the SMF sends a policy request to the PCF, so that the PCF determines a corresponding user plane protection mechanism according to the policy request. Specifically, the policy request at least includes a session identifier (session ID), and may further include a user equipment identifier (UE ID), indication information of security requirement (indicator), security capability of the user equipment, a service ID, a UE service ID, and a DNN. Wherein the indication information (indicator) of the security requirement is used for indicating the equipment security requirement and/or the service security requirement; the session ID, UE ID, indicator, UE security capability, service ID, UE service ID, and DNN may be obtained by the SMF from the received session request; wherein:
In particular, a session identification (session ID) is used to identify the identity of the session, which has a unique session identification. Optionally, the session identifier may be generated by any one of UE, AN, AMF, and SMF. When the session identifier is generated by the UE, the session identifier is generated when the UE prepares to newly establish a session; when the session identifier is generated by any one of AN, AMF and SMF, the session identifier is generated when any one of the AN, AMF and SMF receives a request sent by another network element. For example, when the SMF receives a session request transmitted from the AN, it generates a session ID based on the session request.
In addition, the session identifier may be a newly established identifier, or may reuse another identifier, for example, any one of an existing session identifier, an air interface identifier, a radio bearer identifier, a slice identifier, an air interface resource identifier, an equipment permanent identifier, an equipment temporary identifier, a user permanent identifier, a user temporary identifier, and the like.
In particular, a user equipment identity (UE ID) is used to characterize the identity of the user equipment that issued the session request. For example: the UE ID may be one or more of a Media Access Control (MAC) address, an Internet Protocol (IP) address, a Mobile phone number, an International Mobile Equipment Identity (IMEI), an International Mobile Subscriber Identity (IMSI), an IP Multimedia Private Identity (IMPI), a Temporary Mobile Subscriber Identity (TMSI), an IP Multimedia Public Identity (IMPU), a global Unique Temporary UE identity (GUTI), and the like.
Specifically, the security capability of the user equipment is used to characterize security protection algorithms that the user equipment can support, key lengths that the user equipment can support, key update periods that the user equipment can support, and the like. It can be understood that the storage capacity and the operation speed of different user equipments are different, and therefore, the security protection algorithms supported by different user equipments, the supported key lengths, and the supported key update periods are different. For example, the storage capacity of Internet of Things (IoT) devices is not large, the operation speed is not high, and a security protection algorithm with high complexity cannot be supported; the smart phone has large storage capacity and higher operation speed, and can support a safety protection algorithm with higher complexity. Therefore, the user equipment needs to inform the PCF of the security capability of the user equipment, so that the PCF determines the user plane protection mechanism in combination with the security capability of the user equipment.
Specifically, the device security requirement is used to indicate a required security requirement of the UE, that is, the device security requirement is used to indicate to the PCF what user plane protection mechanism the UE needs, for example, indicate "encryption needs + integrity protection does not need"; or "encryption required + integrity protection not required"; or "ciphering required + integrity protection required", etc., and may also indicate the security protection algorithm required by the UE, the key length acceptable by the UE, the key renewal period acceptable by the UE, etc.
Specifically, the service security requirement is used for characterizing at least one of a service acceptable security algorithm, an acceptable key length and an acceptable key update period. It will be appreciated that the requirements for security algorithms, key length, and key update period are different for different services. For example, financial services have a high demand on security algorithms, whereas video download services have a low demand on security algorithms. Therefore, the first device needs to notify the PCF of the service security requirement, so that the PCF generates the user plane protection mechanism in combination with the service security requirement.
6. The PCF determines the user plane protection mechanism.
In the embodiment of the present invention, the PCF may determine the user plane protection mechanism in a number of ways. Specifically, the PCF may determine the user plane protection mechanism according to at least one of the policy request, the UE registration information, the subscription service data, and the service security requirement fed back by the AF, that is, the PCF may determine the user plane protection mechanism according to at least one of the indicator, the service security requirement, the UE registration information, the subscription service data, and the service security requirement fed back by the AF.
And the PCF acquires the UE registration information from the UDM. For example, the PCF sends the UE ID in the policy request to the UDM, which in turn obtains the UE registration information from the UDM. The UE registration information includes preset UE security requirements. The UE security requirement is used to indicate whether the UE needs ciphering or not, or whether the UE needs integrity protection or not, or whether the UE needs both ciphering and integrity protection. The SMF may also send the UE registration information to the PCF, where the SMF obtains the UE registration information by sending the UE ID to the UDM.
And the PCF acquires the signing service number from the UDM. For example, the PC sends the service ID in the policy request to the UDM, or sends the DNN in the policy request to the UDM; and the UDM confirms the preset signing service data in the service ID or DNN and sends the related signing service data to the PCF. Or PCF sends UE ID and service ID in the policy request to UDM, or sends UE ID and DNN in the policy request to UDM; and the UDM confirms preset subscription service data based on the UE ID and the service ID or the UE ID and the DNN and sends the related subscription service data to the PCF. It is also possible that the PCF sends the service UE ID to the UDM on the basis of the above, so that the UDM can make the decision. The subscription service data includes a preset service security requirement, where the preset service security requirement is used to indicate what user plane protection mechanism is required for the service, for example, to indicate whether the service needs to be encrypted, or whether the service needs to be integrity protected, or whether the service needs to be encrypted and integrity protected at the same time.
Specifically, the PCF sends a request to the AF, and the AF feeds back the service security requirement to the PCF based on the request, wherein the request may include at least one of a UE ID, a service UE ID, or a DNN. The service security requirement fed back by the AF is used to indicate what user plane protection mechanism is needed for the service, for example, to indicate whether the service needs to be encrypted or integrity protected or both.
In the embodiment of the present invention, the user plane protection mechanism is used to indicate a protection mode of user plane data transmission, for example, to indicate whether the UE needs to perform encryption and/or integrity protection on the user plane data. The user plane protection mechanism may be "encryption required + integrity protection not required"; or "encryption required + integrity protection not required"; or "encryption required + integrity protection required". In addition, in the specific embodiment of the present invention, the user plane protection mechanism may also be used to indicate a security protection algorithm, a key length acceptable to the UE, a key update period acceptable to the UE, and the like.
Specifically, in the specific implementation of the embodiment of the present invention, the user plane Protection mechanism may be a Service Data Flow Security mechanism (SDFSP).
7. The PCF sends a user plane protection mechanism (SDFSP) to the SMF, and correspondingly, the SMF obtains the user plane protection mechanism (SDFSP).
In one embodiment, the PCF sends the SDFSP directly to the SMF.
In another embodiment, the PCF encapsulates the SDFSP in certain parameters and sends the certain parameters to the SMF. For example, the PCF encapsulates the SDFSP in a PCC rule, the PCF sends the PCC rule to the SMF, and accordingly, the SMF acquires the SDFSP from the PCC rule after acquiring the PCC rule.
8. The SMF determines the QoS flow protection mechanism based on the user plane protection mechanism (SDFSP).
In the embodiment of the present invention, when user plane data needs to adopt a QoS flow transmission channel for data transmission, in order to obtain a security mechanism (fine granularity) based on QoS flow, the SMF needs to determine QoS Flow (QFI) corresponding to the user plane data, and further needs to determine a security mechanism corresponding to the QoS flow, where the security mechanism corresponding to the QoS flow is referred to as QFI security mechanism (QFI security protection), referred to as QFISP for short, and QFI is QoS flow ID.
Optionally, the SMF may determine the QoS flow according to an SDFSP requirement and a QoS requirement in the PCC rule, where the SDFSP requirement is a security requirement related to a user plane protection mechanism, and the QoS requirement is a requirement for quality of service parameters such as a delay, a bandwidth, and an error rate in the communication network.
Optionally, the SMF may determine the QoS flow according to SDFSP requirements, where the SDFSP requirements are security requirements related to a user plane protection mechanism.
In a specific implementation, a QoS flow channel is preset in a communication architecture, for example, the corresponding identifiers of the preset QoS flow channel are QoS flow ID1, QoS flow ID2, QoS flow ID3, and QoS flow ID 4. Then, (1) the SMF may determine the existing QoS flow to transmit user plane data based on SDFSP requirements and QoS requirements in PCC rule, e.g., select QoS flow ID 2; (2) the SMF may also find that it is not able to use QoS flow ID1 or QoS flow ID2 or QoS flow ID3 or QoS flow ID4 to transmit user plane data according to SDFSP requirements and QoS requirements in PCC rule, so it needs to create a QoS flow channel, for example, create QoS flow ID5 to transmit user plane data. The manner in which QoS flow is selected based only on SDFSP is similar to that described above.
It should be noted that, for a Service Data Flow (SDF), if different SDFs have the same security requirement, the SDFs having the same security requirement may be secured by using the same QFISP. For example, QoS flow includes SDF1 and SDF2, and SDFSP1 for SDF1 and SDFSP2 for SDF2 are both encryption only/integrity protection not required. At this time, the data of QoS flow can be protected by a set of QFPISPs. In this case QFISP is the same as SDFSP.
It is understood that SDFSP may include a variety of QFISPs. For example, for the four service data flows SDF1, SDF2, SDF3, SDF4 in the communication system, SDF1, SDF2 with the same security requirement adopt QFISP1 (corresponding to QoS flow ID1) as a security mechanism, and SDF3, SDF4 with the same security requirement adopt QFISP2 (corresponding to QoS flow ID2) as a security mechanism.
It is also understood that when all service data flows have the same security requirement (e.g., SDF1, SDF2, SDF3, SDF4 have the same security requirement), the QFISP to which these service data flows correspond is equivalent to SDFSP.
Optionally, the SMF may select QoS flow only according to the SDFSP requirement, determine QoS flow, and if there is a QoS flow ID meeting the SDFSP requirement, use the QoS flow corresponding to the QoS flow ID; otherwise, the QoS flow is regenerated.
In a specific embodiment, after determining the QFISP corresponding to the user plane data, the SMF generates a QoS rule, and the QoS rule includes the QFISP. The QoS rule is a parameter used to provide the QFISP corresponding to the user plane data to the UE.
In a specific embodiment, after determining the QFISP corresponding to the user plane data, the SMF generates a QoS profile, where the QoS profile includes the QFISP. Wherein, the QoS profile is a parameter for providing the QFISP corresponding to the user plane data to the AN.
9. The SMF sends QoS flow protection mechanism (QFPSP), QoS flow ID, to the AN through the AMF.
Wherein, in a specific embodiment, the SMF sends QFPSP, QoS flow ID directly to the AN through the AMF.
In another embodiment, the SMF sends the QoS rule, the QoS profile and the QoS flow ID to the AN through the AMF. Wherein QFPSP is included in QoS profile.
Optionally, the SMF may also send the session ID to the AN through the AMF.
10. The AN determines the security protection algorithm and the protection key.
Specifically, the AN establishes a mapping from the session ID and the QoS flow ID to the DRB according to the QoS profile. When the AN selects the DRB, the AN can map the QoS flows with the same security protection requirement to the same DRB. Then the AN can determine that the user plane protection mechanism of the data within the DRB (i.e. the data with the same DRB ID) is the same by determining the DRB ID. Optionally, after determining the user plane protection mechanism, the AN may encrypt or integrity protect the user plane data by using the key.
In a specific embodiment, if QFISP is encryption/integrity protection, and QFISP does not directly specify a security protection algorithm, the AN determines the security protection algorithm according to the UE security capability, the algorithm priority list supported by the AN, and the user plane protection mechanism, for example, when the user plane protection mechanism is "encryption required + integrity protection required", the AN determines that the encryption algorithm is AES and the integrity protection algorithm is AES according to the UE security capability and the algorithm priority list supported by the AN. For another example, if encryption is not required, the encryption algorithm is null. If integrity protection is not required, the integrity protection algorithm is null.
In another embodiment, if the QFISP is encryption/integrity protection, and the QFISP directly specifies the security protection algorithm, including the encryption algorithm and the integrity protection algorithm, the AN may directly obtain the security protection algorithm from the QFISP. For example, in step 6, after determining the user plane protection mechanism, the PCF may obtain AN algorithm priority list supported by the AN, and determine AN air interface protection algorithm based on the algorithm priority list supported by the AN, AN algorithm supported by the UE, and a security capability of the user equipment, for example, in the user plane protection mechanism of "encryption needed + integrity protection needed", the PCF further determines that the encryption algorithm is AES, the integrity protection algorithm is AES, and carries the security protection algorithm in the user plane protection mechanism. In this case, since the user plane protection mechanism (QFISP) directly specifies the encryption algorithm and the integrity protection algorithm, the AN can directly obtain the encryption algorithm and the integrity protection algorithm from the QFISP after obtaining the QFISP.
In AN embodiment of the present invention, the AN may generate the user plane protection key based on a security protection algorithm. Specifically, the AN calculates a key for encryption protection based on the determined encryption algorithm to obtain AN air interface user plane encryption key; or the AN calculates a key for integrity protection based on the determined integrity protection algorithm to obtain AN air interface user plane integrity protection key. The air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a first air interface user plane protection key.
In a specific implementation, the first air interface user plane protection key is KDF (K _ AN, UP algorithm ID),
or, the first air interface user plane protection key is KDF (K _ AN, UP algorithm ID, flow ID);
or, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID, DRBID);
or, the first air interface user plane protection key is KDF (K _ AN, UP algorithm ID, session ID, flow ID);
after the K _ AN is successfully authenticated, the AMF derives a base station key (the K _ AN can be called AN intermediate key) according to a basic key after authentication or a key derived again after authentication, and sends the K _ AN to the AN; the UP algorithm ID can be an encryption algorithm ID and can also be an integrity protection algorithm ID; the encryption algorithm ID is used to indicate the corresponding encryption algorithm, and the integrity protection algorithm ID is used to indicate the corresponding integrity protection algorithm.
11. The AN sends a session ID, a QoS flow ID, a security protection algorithm, a QoS flow protection mechanism (QFPSP) to the UE.
The QFISP can be carried in a Qos rule and transmitted to the UE.
In addition, the QoS flow protection mechanism is optional.
12. The UE determines a user plane protection key.
Specifically, the UE obtains the session ID, the QFI, the user plane security algorithm, and the K _ AN, and generates a user plane protection key accordingly, where the K _ AN is a base station key derived by the UE according to a basic key after authentication or a key derived again after authentication.
Specifically, the UE calculates a key for encryption protection based on the received encryption algorithm to obtain an air interface user plane encryption key; or, the UE calculates a key for integrity protection based on the received integrity protection algorithm, and obtains an air interface user plane integrity protection key. The air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a second air interface user plane protection key.
In a specific implementation, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID);
or, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID, flow ID);
Or, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID, DRBID);
or, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID, session ID, flow ID);
the UP algorithm ID can be an encryption algorithm ID and can also be an integrity protection algorithm ID; KDF is a Key Derivation Function (KDF) including, but not limited to, the following cryptographic Derivation functions: HMAC (e.g., HMAC-SHA256, HMAC-SHA1), NMAC, CMAC, OMAC, CBC-MAC, PMAC, UMAC and VMAC, and HASH algorithms, among others.
It can be understood that, in the process of implementing the user plane protection mechanism in a specific application scenario, the first air interface user plane protection key and the second air interface user plane protection key may be the same key. In uplink transmission, the UE may perform encryption protection and/or integrity protection on the user plane data based on the second air interface user plane protection key, and after receiving the user plane data sent by the UE, the AN decrypts and/or performs integrity verification on the user plane data based on the first air interface user plane protection key. In downlink transmission, the AN performs encryption protection and/or integrity protection on user plane data based on a first air interface user plane protection key, and after receiving the user plane data sent by the AN, the UE decrypts and/or performs integrity inspection on the user plane data based on a second air interface user plane protection key.
It should be noted that, in the above method flow of this embodiment, the following embodiments may exist:
possibility 1: in step 4, the session establishment procedure may also be initiated by the AMF, i.e. the AMF sends a session request to the SMF. In this case, the user equipment identity (UE ID), the UE security capability, the indicator, or the DNN, the service ID, the UE service ID, etc. in the session request may be obtained by the AMF from the received attach request, where the attach request carries the above information.
Possibility 2: in a possible embodiment, the content of step 7 and step 8 may be replaced by: and the PCF directly determines the QoS flow protection mechanism and sends the QoS flow protection mechanism to the SMF.
Possibility 3: the flow ID and the session ID may be generated before the SMF sends the policy request.
It should also be noted that the embodiment of fig. 11 is only used as an example and should not be considered as a limitation to the present invention.
It can be seen that, by implementing the embodiment of the present invention, a future 5G-based communication architecture can be implemented, in the related process of session establishment, UE-AN completes policy negotiation based on flow transmission channel granularity, a user plane protection mechanism is determined by PCF according to the security requirements (including the security requirements of different services) required by the user equipment side and the security requirements preset by the network side, and UE and AN determine a security protection algorithm and a key respectively, thereby implementing security protection of user plane data.
To facilitate understanding of the solution of the embodiment of the present invention, some operation flows of applying the flow-based key configuration method in fig. 11 in uplink transmission and downlink transmission of user plane data are illustrated below based on the UE-AN, and are described in detail as follows:
(1) and the user plane data is based on the uplink transmission process of the flow key configuration method.
On the UE side, when the user plane data needs to be transmitted in an uplink mode, the UE determines a session ID according to the user data and then confirms a QoS flow ID. For example, the UE determines that the uplink user data (IP packet) adopts session ID1(PDU session1), and further determines that QFI is QoS flow ID1, and then, through negotiation of the UE-AN based on the method flow shown in fig. 11, the UE determines a security protection mechanism (QFISP) corresponding to QoS flow ID1, and obtains a security protection algorithm, which includes AN encryption algorithm and AN integrity protection algorithm; therefore, the UE performs security protection of the user plane data using the corresponding protection key based on the ciphering algorithm and the integrity protection algorithm.
At the AN side, the AN confirms the QoS flow ID1 according to the air interface identifier RB ID1 (or DRB ID1), and then, through negotiation of the UE-AN based on the method flow shown in fig. 11, the UE determines a security protection mechanism (QFISP) corresponding to the QoS flow ID1, obtains a security protection algorithm including AN encryption algorithm and AN integrity protection algorithm, and after the AN obtains the user plane data uploaded by the UE, the AN may perform security protection of the user plane data by using a corresponding key based on the encryption algorithm and the integrity protection algorithm. It should be noted that A N may determine the security protection mechanism directly according to QFI in the protocol stack, or the UE determines QFI according to marking in the air interface protocol stack, and then determines the security mechanism.
(2) And a downlink transmission process of the user plane data based on the flow key configuration method.
On the AN side, when the AN needs to perform downlink transmission on user plane data, the AN may determine a security protection mechanism based on the method flow shown in fig. 11 according to QFI, for example, determine that QFI is QoS flow ID3, determine that AN air interface identifier RB ID3(DRB ID3) corresponding to QoS flow ID3, further determine a security protection mechanism (QFISP) corresponding to QoS flow ID3, obtain a security protection algorithm including AN encryption algorithm and AN integrity protection algorithm, and perform security protection on user plane data by using a corresponding key based on the encryption algorithm and the integrity protection algorithm.
At the UE side, the UE confirms that QFI is QoS flow ID3 according to DRB ID3, and the AN can confirm a security protection mechanism (QFISP) corresponding to QoS flow ID3 according to QFI based on the method flow shown in fig. 11, obtain a security protection algorithm including AN encryption algorithm and AN integrity protection algorithm, and perform security protection of user plane data using a corresponding key based on the encryption algorithm and the integrity protection algorithm. It should be noted that the UE may also determine the security protection mechanism directly according to the QFI in the protocol stack, or the UE determines the QFI according to marking in the air interface protocol stack, and then determines the security mechanism.
A key configuration method based on a DRB according to AN embodiment of the present invention is described below from the viewpoint of granularity differentiation based on a UE-AN, and as shown in fig. 12, the key configuration method according to the embodiment of the present invention includes the following steps:
1-3, in the process of attaching the network, the UE sends AN attachment request to the AUSF through the AN and the AMF,
the AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a valid user.
In the embodiment of the present invention, the attach request at least includes a user equipment identity (UE ID). In addition, optionally, the attach request may further include a service ID, a UE service ID, or a DNN, and optionally, the attach request may further include indication information (indicator) of security requirements.
4. The UE sends a session request to the SMF through the AMF, and correspondingly, the SMF receives the session request.
5. The SMF sends a policy request to the PCF.
6. The PCF determines the user plane protection mechanism.
7. The PCF sends a user plane protection mechanism (SDFSP) to the SMF, and correspondingly, the SMF obtains the user plane protection mechanism (SDFSP).
8. The SMF determines the QoS flow protection mechanism based on the user plane protection mechanism (SDFSP).
9. The SMF sends QoS flow protection mechanism (QFPSP), QoS flow ID, to the AN through the AMF.
Wherein, in a specific embodiment, the SMF sends QFISP directly to the AN through the AMF;
in another embodiment, the SMF sends the QoS rule and the QoS profile to the AN through the AMF. The QFISP is included in the QoS rule, and the QoS rule is used for providing the QFISP corresponding to the user plane data to the UE. The QFPSP is included in the QoS profile, and the QoS profile is used for providing the QFPSP corresponding to the user plane data to the AN.
Optionally, the SMF may also send the session ID to the AN through the AMF.
10. The AN determines the DRB and determines a DRB protection mechanism.
In the embodiment of the invention, the user plane data can realize a safety protection mechanism in data transmission based on the DRB.
Specifically, in order to obtain a security protection mechanism (fine granularity) based on the DRB, the AN needs to determine the DRB corresponding to the QoS flow, establish a mapping between the session ID and the QoS flow ID to the DRB ID, and further needs to determine a security mechanism corresponding to the DRB ID, which is hereinafter referred to as a DRB security mechanism (DRB security protection), referred to as DRBSP for short.
Optionally, the AN may determine the DRB ID according to the QFISP requirement and the QoS requirement, where the DRB ID both needs to satisfy the QoS requirement in the QoS profile and also satisfies the QFISP requirement. Among the QFISP requirements are security requirements (e.g., encryption only, no integrity protection is needed) involved in QoS flow, and the QoS requirements are requirements for quality of service parameters such as latency, bandwidth, error rate, etc. in a communication network.
Optionally, the AN may determine the DRB ID according to the QFISP requirement, where the DRB ID needs to meet the QFISP requirement.
In a specific implementation, the DRB channel is preset in the communication architecture, for example, the corresponding identifiers of the preset DRB channel are DRB ID1, DRB ID2, DRB ID3, and DRB ID 4. Then (1) the SMF may determine the existing DRBs to carry QoS flow or user plane data based on QFISP requirements and requirements for QoS in the profile, e.g., select DRB ID 1; (2) the SMF may also discover that it is not possible to use DRB ID1 or DRB ID2 or DRB ID3 or DRB ID4 to carry QoS flow or user plane data according to QFISP requirements and QoS requirements in profile, so a DRB channel needs to be newly created, for example, DRB ID5 is generated to carry QoS flow or user plane data.
It should be noted that if different QoS flows (or different SDFs) have the same security requirement, the QoS flows with the same security requirement may be secured by using the same set of DRBSP. For example, the DRB includes QoS flow1 and QoS flow2, and both QFISP1 for QoS flow1 and QFISP2 for QoS flow2 support only encryption/do not require integrity protection. At this time, the data carried by the DRB may be protected by using a set of DRBSP.
It is understood that different DRBs may have different DRBSPs. For example, for the four service data flows QoS flow1, QoS flow2, QoS flow3 and QoS flow4 in the communication system, the QoS flow1 and QoS flow2 with the same security requirement adopt DRBSP1 (corresponding to DRB ID1) as a security mechanism, and the QoS flow3 and QoS flow4 with the same security requirement adopt bsdrp 2 (corresponding to DRB ID2) as a security mechanism.
Optionally, the AN may select the DRB ID only according to the QFISP requirement, determine the DRB, and if there is a DRB ID meeting the QFISP requirement, use the DRB corresponding to the DRB ID; otherwise, regenerating DRB.
11. The AN determines a security protection algorithm and a user plane protection key.
In one embodiment, if DRBSP is ciphering/integrity protected and DRBSP does not directly specify a security protection algorithm, then the AN determines, based on UE security capabilities, AN algorithm priority list supported by the AN and a user plane protection mechanism, that the security protection algorithm, e.g., DRBSP, requires ciphering but does not require integrity protection, and further, UE security capabilities support AES ciphering/ZUC ciphering but the AN supports AES ciphering with a first priority, then the AN selects ciphering algorithm AES, and the integrity protection algorithm is null.
In another embodiment, if the DRBSP is encrypted or integrity protected, and the DRBSP directly specifies the security protection algorithm, including the encryption algorithm and the integrity protection algorithm, the AN may directly obtain the security protection algorithm from the DRBSP.
In AN embodiment of the present invention, the AN may generate the user plane protection key based on a security protection algorithm. Specifically, the AN calculates a key for encryption protection based on the determined encryption algorithm to obtain AN air interface user plane encryption key; or the AN calculates a key for integrity protection based on the determined integrity protection algorithm to obtain AN air interface user plane integrity protection key. The air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a first air interface user plane protection key.
In a specific implementation, the first air interface user plane protection key is KDF (K _ AN, UP algorithm ID),
alternatively, the first air interface user plane protection key is KDF (K _ AN, UP algorithm ID, DRB ID),
alternatively, the first air interface user plane protection key is KDF (K _ AN, UP algorithm ID, flow ID),
or, the first air interface user plane protection key is KDF (K _ AN, UP algorithm ID, session ID, flow ID),
Or, the first air interface user plane protection key is KDF (K _ AN, UP algorithm ID, session ID, DRB ID),
after the K _ AN is successfully authenticated, the AMF derives a base station key according to a basic key after authentication or a key derived again after authentication, and the AMF sends the K _ AN to the AN; the UP algorithm ID can be an encryption algorithm ID and can also be an integrity protection algorithm ID; the encryption algorithm ID is used to indicate the corresponding encryption algorithm, and the integrity protection algorithm ID is used to indicate the corresponding integrity protection algorithm.
12. The AN sends a session ID, a QoS flow ID, a security protection algorithm, a QoS flow protection mechanism (QFPSP), and a DRB protection mechanism (DRBSP) to the UE.
The QFISP and/or DRBSP may be carried in a Qos rule and transmitted to a UE.
Among them, QFISP is optional.
Among them, DRBSP is optional.
13. The UE determines a user plane protection key.
UE acquires session ID, QFI, user plane security algorithm, QFISP, DRBSP and K _ AN, and correspondingly generates a user plane protection key;
or the UE acquires the session ID, the QFI and the user plane security algorithm. And the UE generates a user plane protection key according to the acquired session ID, QFI, the user plane security algorithm and the K _ AN.
Specifically, the UE calculates a key for encryption protection based on the received encryption algorithm to obtain an air interface user plane encryption key; or, the UE calculates a key for integrity protection based on the received integrity protection algorithm, and obtains an air interface user plane integrity protection key. The air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a second air interface user plane protection key.
In a specific implementation, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID),
alternatively, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID, DRB ID),
alternatively, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID, flow ID),
or, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID, session ID, flow ID),
alternatively, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID, session ID, DRB ID).
After the K _ AN is successfully authenticated, the UE derives a base station key according to the authenticated basic key or the key derived again after authentication; the UP algorithm ID can be an encryption algorithm ID and can also be an integrity protection algorithm ID; KDF is a Key Derivation Function (KDF) including, but not limited to, the following cryptographic Derivation functions: HMAC (e.g., HMAC-SHA256, HMAC-SHA1), NMAC, CMAC, OMAC, CBC-MAC, PMAC, UMAC and VMAC, and HASH algorithms, among others.
It should be noted that, for the steps not described in detail in the embodiment of fig. 13, reference may be made to the relevant description in the embodiment of fig. 11. The embodiment of fig. 12 is only an example and should not be construed as limiting the invention.
It should be further noted that, in the above method flow of this embodiment, the following embodiments may exist:
possibility 1: in step 4, the session establishment procedure may also be initiated by the AMF, i.e. the AMF sends a session request to the SMF. In this case, the user equipment identity (UE ID), the UE security capability, the indicator, or the DNN, the service ID, the UE service ID, etc. in the session request may be obtained by the AMF from the received attach request, where the attach request carries the above information.
Possibility 2: in a possible embodiment, the content of step 7 and step 8 may be replaced by: and the PCF directly determines the QoS flow protection mechanism and sends the QoS flow protection mechanism to the SMF.
Possibility 3: the flow ID and the session ID may be generated before the SMF sends the policy request.
It can be seen that the difference between the embodiment of fig. 12 and the embodiment of fig. 11 is that policy negotiation is performed between UE and AN based on DRB transmission channel granularity.
By implementing the embodiment of the invention, a communication architecture based on the future 5G can be realized, in the related process of session establishment, UE-AN completes strategy negotiation based on DRB transmission channel granularity, a PCF determines a user plane protection mechanism according to the security requirements (including the security requirements of different services) required by a user equipment side and the security requirements preset by a network side, and UE and AN respectively determine a security protection algorithm and a key, thereby realizing the security protection of user plane data.
Some operation flows of applying the above-mentioned DRB-based key configuration method in fig. 12 in uplink transmission and downlink transmission of user plane data are briefly described below based on UE-AN, and are described as follows:
(1) and the user plane data is based on the uplink transmission process of the DRB key configuration method.
And on the UE side, the UE determines a session ID according to the user data so as to confirm the QFI and the DRB ID, further determines a security protection mechanism (DRBSP) according to the DRB ID, and adopts a corresponding user plane protection key to execute security protection of the user plane data after an encryption algorithm and an integrity protection algorithm are determined.
And at the AN side, the AN determines a corresponding security protection mechanism (DRBSP) according to the DRB ID confirmation, obtains a security protection algorithm comprising AN encryption algorithm and AN integrity protection algorithm, and can adopt a corresponding key to perform security protection on the user plane data based on the encryption algorithm and the integrity protection algorithm after the AN obtains the user plane data uploaded by the UE.
(2) And a downlink transmission process of the DRB-based key configuration method for the user plane data.
On the AN side, when the AN needs to perform downlink transmission on the user plane data, the AN confirms the DRB according to the QFI, then determines a DRBSP corresponding to the DRB, obtains a security protection algorithm comprising AN encryption algorithm and AN integrity protection algorithm, and performs security protection on the user plane data by adopting a corresponding key based on the encryption algorithm and the integrity protection algorithm.
At the UE side, the UE acquires a security protection algorithm including an encryption algorithm and an integrity protection algorithm corresponding to a security protection mechanism (DRBSP) according to the DRB ID confirmation, and can adopt a corresponding key to perform security protection of user plane data based on the encryption algorithm and the integrity protection algorithm.
A session-based key configuration method provided in the embodiment of the present invention is described below from the viewpoint of granularity differentiation based on UE-AN, and as shown in fig. 13, the key configuration method provided in the embodiment of the present invention includes the following steps:
1-3, in the process of attaching the network, the UE sends AN attachment request to the AUSF through the AN and the AMF,
the AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a valid user.
In the embodiment of the present invention, the attach request at least includes a user equipment identity (UE ID). In addition, optionally, the attach request may further include a service ID, a UE service ID, or a DNN, and optionally, the attach request may further include indication information (indicator) of security requirements.
4. The UE sends a session request to the SMF through the AMF, and correspondingly, the SMF receives the session request.
5. The SMF sends a policy request to the PCF.
6. The PCF determines the user plane protection mechanism.
7. The PCF sends a user plane protection mechanism (SDFSP) to the SMF, and correspondingly, the SMF obtains the user plane protection mechanism (SDFSP).
8. The SMF determines the session protection mechanism.
In the embodiment of the invention, when the user plane data needs to adopt the session transmission channel or the DRB transmission channel or the QoSflow transmission channel for data transmission, a safety protection mechanism in the data transmission can be realized based on the session.
Specifically, the SMF may determine the session protection mechanism based on SDFSP in different PCC rule. Or the SMF receives the session protection mechanism directly from the PCF.
9. The SMF sends QFISP, session protection mechanism, QoS flow ID to the AN through AMF.
In a specific embodiment, the SMF directly sends a session ID, a session protection mechanism, and a QoS flow ID to the AN through the AMF;
in another embodiment, the SMF sends the QoS rule, QoS profile, QoS flow ID to the AN through the AMF. The QoS rule comprises a session protection mechanism, and the QoS rule is used for providing the session protection mechanism corresponding to the user plane data for the UE. The QoS profile includes the session protection mechanism, and the QoS profile is used to provide the session protection mechanism corresponding to the user plane data to the AN.
Optionally, the SMF may also send the session ID to the AN through the AMF.
10. The AN determines a security protection algorithm and a user plane protection key.
In a specific embodiment, if the session protection mechanism is encryption/integrity protection, and the session protection mechanism does not directly specify a security protection algorithm, the AN determines the security protection algorithm according to the UE security capability, the algorithm priority list supported by the AN, and the user plane protection mechanism. For example, the session protection mechanism requires ciphering but does not require integrity protection, and further, the UE security capability supports AES ciphering/ZUC ciphering, but the AN supports AES ciphering with a first priority, the AN selects the ciphering algorithm AES, and the integrity protection algorithm is a null algorithm.
In another embodiment, if the session protection mechanism is encryption/integrity protection, and the session protection mechanism directly specifies the security protection algorithm, including the encryption algorithm and the integrity protection algorithm, the AN may directly obtain the security protection algorithm from the session protection mechanism.
In AN embodiment of the present invention, the AN may generate the user plane protection key based on a security protection algorithm. Specifically, the AN calculates a key for encryption protection based on the determined encryption algorithm to obtain AN air interface user plane encryption key; or the AN calculates a key for integrity protection based on the determined integrity protection algorithm to obtain AN air interface user plane integrity protection key. The air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a first air interface user plane protection key.
In a specific implementation, the first air interface user plane protection key is KDF (K _ AN, UP algorithm ID),
alternatively, the first air interface user plane protection key is KDF (K _ SMF, UP algorithm ID, flow ID),
or, KDF (K _ SMF, UP algorithm ID, session ID),
or, KDF (K _ SMF, UP algorithm ID, DRB ID);
after the K _ AN is successfully authenticated, the AMF derives a base station key according to a basic key after authentication or a key derived again after authentication, and the AMF sends the K _ AN to the AN; the UP algorithm ID can be an encryption algorithm ID and can also be a complete protection algorithm ID; the DRB ID may be the DRB ID assigned by the AN for this service.
11. The AN sends a session ID, a QoS flow ID, a security protection algorithm and a session protection mechanism to the UE.
The session protection mechanism may be carried in a Qos rule and sent to the UE.
Additionally, the session protection mechanism is optional.
12. The UE determines a protection key.
UE obtains session ID, QFI, user plane security algorithm, session protection mechanism and K _ AN, and generates a user plane protection key correspondingly;
specifically, the UE calculates a key for encryption protection based on the received encryption algorithm to obtain an air interface user plane encryption key; or, the UE calculates a key for integrity protection based on the received integrity protection algorithm, and obtains an air interface user plane integrity protection key. The air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a second air interface user plane protection key.
In a specific implementation, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID),
alternatively, the second air interface user plane protection key is KDF (K _ SMF, UP algorithm ID, flow ID),
alternatively, the second air interface user plane protection key is KDF (K _ SMF, UP algorithm ID, session ID),
or, the second air interface user plane protection key is KDF (K _ SMF, UP algorithm ID, DRB ID);
And after the K _ AN is successfully authenticated, the AMF derives a base station key according to the authenticated basic key or the key derived again after authentication, and the UE sends the K _ AN to the UE. (ii) a The UP algorithm ID can be an encryption algorithm ID and can also be a complete protection algorithm ID; the DRB ID may be the DRB ID assigned by the AN for this service. KDF is a Key Derivation Function (KDF) including, but not limited to, the following cryptographic Derivation functions: HMAC (e.g., HMAC-SHA256, HMAC-SHA1), NMAC, CMAC, OMAC, CBC-MAC, PMAC, UMAC and VMAC, and HASH algorithms, among others.
It should be noted that, for the steps not described in detail in the embodiment of fig. 13, reference may be made to the relevant description in the embodiment of fig. 11. The embodiment of fig. 13 is only an example and should not be construed as limiting the invention.
It should be noted that, in the above method flow of this embodiment, the following embodiments may exist:
possibility 1: in step 4, the session establishment procedure may also be initiated by the AMF, i.e. the AMF sends a session request to the SMF. In this case, the user equipment identity (UE ID), the UE security capability, the indicator, or the DNN, the service ID, the UE service ID, etc. in the session request may be obtained by the AMF from the received attach request, where the attach request carries the above information.
Possibility 2: the flow ID and the session ID may be generated before the SMF sends the policy request.
It can be seen that the difference between the embodiment of fig. 13 and the embodiment of fig. 11 is that the UE-AN performs policy negotiation using PDU session transport channel based granularity.
The embodiment of the invention can realize a communication architecture based on the future 5G, in the related process of session establishment, UE-AN completes the strategy negotiation based on PDU session transmission channel granularity, PCF determines the user plane protection mechanism according to the safety requirements (including the safety requirements of different services) required by the user equipment side and the safety requirements preset by the network side, and UE and AN respectively determine the safety protection algorithm and the secret key, thereby realizing the safety protection of the user plane data.
To facilitate understanding of the solution of the embodiment of the present invention, some operation flows of applying the session-based key configuration method in fig. 13 in uplink transmission and downlink transmission of user plane data are illustrated below based on the UE-AN, and are specifically described as follows:
(1) and the user plane data is based on the uplink transmission process of the secret key configuration method of the session.
At the UE side, the UE determines a session ID according to user data, and further confirms a security protection mechanism (session protection mechanism) corresponding to the session ID to obtain a security protection algorithm comprising an encryption algorithm and an integrity protection algorithm; therefore, the UE performs security protection of the user plane data using the corresponding protection key based on the ciphering algorithm and the integrity protection algorithm.
And on the AN side, the AN confirms the QoS flow ID according to the DRB ID, further confirms the session ID, finally determines a security protection mechanism (session protection mechanism) corresponding to the session ID, and after the AN acquires the user plane data uploaded by the UE, the AN can adopt a corresponding key to perform security protection on the user plane data based on AN encryption algorithm and AN integrity protection algorithm. Or, directly determining the session ID according to the DRB ID; or the AN determines the QPI according to the QPI of the protocol stack or marking in the protocol stack.
(2) And a downlink transmission process of the user plane data based on the session key configuration method.
On the AN side, when the AN needs to downlink transmit the user plane data, the AN confirms the session ID according to the QFI, further confirms the security protection mechanism (session protection mechanism), obtains the security protection algorithm comprising AN encryption algorithm and AN integrity protection algorithm, and adopts a corresponding key to perform the security protection of the user plane data based on the encryption algorithm and the integrity protection algorithm. Or, directly determining the session ID according to the DRB ID; alternatively, the security protection mechanism (session protection mechanism) is confirmed based on the session ID in the protocol stack. On the UE side, the UE confirms the QoS flow ID according to the DRB ID, further confirms the session ID, finally determines a security protection mechanism (session protection mechanism) corresponding to the session ID, obtains a security protection algorithm comprising an encryption algorithm and an integrity protection algorithm, and can adopt corresponding keys to perform security protection on user plane data based on the encryption algorithm and the integrity protection algorithm.
A flow-based key configuration method provided in the embodiment of the present invention is described below from the viewpoint of granularity differentiation based on the UE-CN, and as shown in fig. 14, the flow-based key configuration method provided in the embodiment of the present invention includes the following steps:
1-3, in the process of attaching the network, the UE sends AN attachment request to the AUSF through the AN and the AMF,
the AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a valid user.
4. The UE sends a session request to the SMF through the AMF, and correspondingly, the SMF receives the session request.
The session request is for requesting that a session be established between the UE and the SMF. For example, if the session is established by the session establishment protocol, the session request is the session establishment request signaling.
5. The SMF sends a policy request to the PCF.
Reference may be made to the description of step 5 in the embodiment of fig. 11, which is not repeated here.
6. The PCF determines the user plane protection mechanism.
Reference may be made to the description of step 6 in the embodiment of fig. 11, which is not repeated here.
7. The PCF sends a user plane protection mechanism (SDFSP) to the SMF, and correspondingly, the SMF obtains the user plane protection mechanism (SDFSP).
Reference may be made to the description of step 7 in the embodiment of fig. 11, which is not repeated here.
8. The SMF determines the QoS flow protection mechanism (QFISP) based on the user plane protection mechanism (SDFSP).
Reference may be made to the description of step 8 in the embodiment of fig. 11, which is not repeated here.
9. And the SMF determines a security protection algorithm and determines a user plane protection key.
In a specific embodiment, if QFISP is encryption/integrity protection or not, and QFISP does not directly specify a security protection algorithm, the SMF determines a security protection algorithm according to UE security capability, an algorithm priority list supported by UPF, and QFISP, where the algorithm priority list supported by UPF may be preset in the SMF, or preset in the UPF, and the SMF obtains the algorithm priority list supported by UPF from the UPF. For example, when the user plane protection mechanism is "encryption required + integrity protection required", the SMF determines that the encryption algorithm is AES and the integrity protection algorithm is AES according to the UE security capability, the algorithm priority list supported by the UPF, and the algorithm supported by the UE. If encryption is not required, the encryption algorithm is null. If integrity protection is not required, the integrity protection algorithm is null.
In another embodiment, if the QFISP is encryption/integrity protection, and the QFISP directly specifies the security protection algorithm, including the encryption algorithm and the integrity protection algorithm, the SMF may directly obtain the security protection algorithm from the QFISP. For example, in step 6, after determining the user plane protection mechanism, the PCF may obtain an algorithm priority list supported by the UPF, where the algorithm priority list supported by the UPF may be preset in the AMF, or preset in the UPF, and the AMF obtains the algorithm priority list supported by the UPF from the UPF. The PCF determines an air interface protection algorithm based on the UE security capability, the algorithm priority list supported by the UPF, and the QFISP, for example, under the QFISP used for "encryption needed + integrity protection needed", the PCF further determines that the encryption algorithm is AES and the integrity protection algorithm is AES, and carries the security protection algorithm in the QFISP. In this case, the user plane protection mechanism (QFISP) directly specifies the encryption algorithm and the integrity protection algorithm, and the SMF directly determines the encryption algorithm and the integrity protection algorithm.
In an embodiment of the present invention, the SMF may generate a user plane protection key based on a security protection algorithm. Specifically, the SMF calculates a key for encryption protection based on the determined encryption algorithm, and obtains an air interface user plane encryption key; or the SMF calculates a key for integrity protection based on the determined integrity protection algorithm to obtain an air interface user plane integrity protection key. The air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a first air interface user plane protection key.
In a specific implementation, the first air interface user plane protection key is KDF (K _ SMF, UP algorithm ID),
or, the first air interface user plane protection key is KDF (K _ SMF, UP algorithm ID, flow ID);
or, the second air interface user plane protection key is KDF (K _ SMF, UP algorithm ID, DRBID);
or, the first air interface user plane protection key is KDF (K _ SMF, UP algorithm ID, session ID);
after the K _ SMF is successfully authenticated, the AMF derives a base station key according to the authenticated basic key or the key derived again after authentication, and the AMF sends the K _ SMF to the SMF; or, after the K _ SMF is successfully authenticated, the AUSF derives the base station key according to the authenticated basic key or the key derived again after authentication, and the AUSF sends the K _ SMF to the SMF. The UP algorithm ID can be an encryption algorithm ID and can also be an integrity protection algorithm ID; the encryption algorithm ID is used to indicate the corresponding encryption algorithm, and the integrity protection algorithm ID is used to indicate the corresponding integrity protection algorithm.
10. And the SMF sends a security protection algorithm or a user plane protection key to the UPF. Accordingly, the UPF receives a security protection algorithm or a user plane protection key.
In a possible embodiment, if the UPF receives the user plane protection key, the user plane protection key is taken as the user plane protection key of the UPF.
In a possible embodiment, if the UPF receives only the security protection algorithm and does not receive the user plane protection key, the UPF may calculate a user plane protection key (refer to the above-mentioned related description) based on the security protection algorithm and the K _ SMF, where the user plane protection key is the user plane protection key of the UPF. After the K _ SMF is successfully authenticated, the AMF derives a key according to the authenticated key or a key derived again after authentication, and specifically, the AMF sends the K _ SMF to the UPF; or after the K _ SMF is successfully authenticated, the AUSF derives the key according to the key after authentication or the key derived again after authentication, and the AUSF sends the K _ SMF to the UPF.
11. SMF sends sending session ID, QoS flow ID, security protection algorithm, QoS flow protection mechanism (QFPSP) to AN through AMF.
The QFISP can be carried in a Qos rule and transmitted to the UE.
In addition, the QoS flow protection mechanism is optional.
12. The AN sends a sending session ID, a QoS flow ID, a security protection algorithm, a QoS flow protection mechanism (QFPSP) to the UE.
13. The UE determines a user plane protection key.
Reference may be made to the description of step 12 in the embodiment of fig. 11, which is not repeated here.
It should be noted that, in the above method flow of this embodiment, the following embodiments may exist:
possibility 1: in step 4, the session establishment procedure may also be initiated by the AMF, i.e. the AMF sends a session request to the SMF. In this case, the user equipment identity (UE ID), the UE security capability, the indicator, or the DNN, the service ID, the UE service ID, etc. in the session request may be obtained by the AMF from the received attach request, where the attach request carries the above information.
Possibility 2: in a possible embodiment, the content of step 7 and step 8 may be replaced by: and the PCF directly determines the QoS flow protection mechanism and sends the QoS flow protection mechanism to the SMF.
Possibility 3: the flow ID and the session ID may be generated before the SMF sends the policy request.
Possibility 4: if the QFISP comprises a specific security protection algorithm, the SMF can also send the QFISP to the UPF, and the UPF acquires the security protection algorithm in the QFISP.
Possibility 5: if the QFISP does not include the security protection algorithm, step 9 and step 13 may also implement security protection by:
(alternative step 9) the SMF calculates a first K _ UP, K _ UP ═ KDF (K _ SMF, session ID); or K _ UP ═ KDF (K _ SMF, QoS flow ID);
(alternative step 10) the SMF sends the session ID, QFI and the first K _ UP to UPF.
(alternative step 11) the SMF sends the session ID, QFI and QFISP to the AN through the AMF.
(alternative step 12) the AN sends the session ID, QFI and QFISP to the UE;
(alternative step 13) the UE generates a second K _ UP based on the K _ SMF. And K _ SMF is a key derived by the UE according to the key after authentication or the key derived again after authentication.
(addition step 14) the UPF renegotiates the security protection algorithm with the UE, and then generates a user plane protection key of the UPF and a user plane protection key of the UE based on the first K _ UP and the second K _ UP, respectively.
It should be noted that, where the embodiment in fig. 14 is not described in detail, reference may be made to the description related to the embodiment in fig. 11, and the embodiment in fig. 14 is only used as an example and should not be construed as a limitation to the present invention.
It can be seen that the main difference between the embodiment of fig. 14 and the embodiment of fig. 11 is that policy negotiation is performed between UE-CNs based on flow transmission channel granularity, and in this process, the AN does not need security setting.
The embodiment of the invention can realize a communication framework based on the future 5G, the UE-CN finishes the strategy negotiation based on the flow transmission channel granularity in the session establishing process, and after the PCF determines the user plane protection mechanism, the UE and the CN respectively determine the user plane protection key, thereby realizing the safety protection of the user plane data. The embodiment of the invention can realize the network security protection between the UE and the core network, avoid the defect of hop-by-hop segmented protection mode and improve the security of user plane data transmission.
To facilitate understanding of the solution of the embodiment of the present invention, some operation flows of applying the flow-based key configuration method in fig. 14 in the uplink transmission and downlink transmission processes of user plane data are illustrated below based on the UE-CN, and are described in detail as follows:
(1) and the user plane data is based on the uplink transmission process of the flow key configuration method.
At the UE side, the UE determines a session ID according to user data, further determines QFI, and then determines a corresponding security protection mechanism (QFISP) to obtain a security protection algorithm comprising an encryption algorithm and an integrity protection algorithm; therefore, the UE performs security protection of the user plane data using the corresponding protection key based on the ciphering algorithm and the integrity protection algorithm.
On the UPF side, after the UPF determines a QFI corresponding security protection mechanism (QFISP) according to the QoS flow ID, the UPF obtains a security protection algorithm comprising an encryption algorithm and an integrity protection algorithm, and after the UPF obtains the user plane data uploaded by the UE, the UPF can adopt a corresponding key to perform security protection on the user plane data based on the encryption algorithm and the integrity protection algorithm.
(2) And a downlink transmission process of the user plane data based on the flow key configuration method.
On the UPF side, when the user plane data needs to be transmitted downstream, the UPF confirms a security protection mechanism (QFISP) according to a process flow that can be based on the method shown in fig. 14 according to QFI, obtains a security protection algorithm including an encryption algorithm and an integrity protection algorithm, and performs security protection of the user plane data by using a corresponding key based on the encryption algorithm and the integrity protection algorithm.
And on the UE side, the UE confirms the QoS flow ID according to the DRB ID, finally determines a QFI corresponding security protection mechanism, obtains a security protection algorithm comprising an encryption algorithm and an integrity protection algorithm, and can adopt a corresponding key to perform security protection on user plane data based on the encryption algorithm and the integrity protection algorithm.
A session-based key configuration method provided in the embodiment of the present invention is described below from the viewpoint of granularity differentiation based on UE-CN, and as shown in fig. 15, the key configuration method provided in the embodiment of the present invention includes the following steps:
1-3, in the process of attaching the network, the UE sends AN attachment request to the AUSF through the AN and the AMF,
the AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a valid user.
In the embodiment of the present invention, the attach request at least includes a user equipment identity (UE ID). In addition, optionally, the attach request may further include a service ID, a UE service ID, or a DNN, and optionally, the attach request may further include indication information (indicator) of security requirements.
4. The UE sends a session request to the SMF through the AMF, and correspondingly, the SMF receives the session request.
5. The SMF sends a policy request to the PCF.
6. The PCF determines the user plane protection mechanism.
7. The PCF sends a user plane protection mechanism (SDFSP) to the SMF, and correspondingly, the SMF obtains the user plane protection mechanism (SDFSP).
8. The SMF determines the session protection mechanism.
9. The SMF determines a security protection algorithm and a user plane protection key.
In a specific embodiment, if the session protection mechanism is encryption/integrity protection, and the session protection mechanism does not directly specify a security protection algorithm, the SMF determines the security protection algorithm according to the UE security capability, the algorithm priority list supported by the UPF, and the session protection mechanism, where the algorithm priority list supported by the UPF may be preset in the SMF, or preset in the UPF, and the SMF obtains the algorithm priority list supported by the UPF from the UPF. For example, when the user plane protection mechanism is "encryption required + integrity protection required", the SMF determines that the encryption algorithm is AES and the integrity protection algorithm is AES according to the UE security capability, the algorithm priority list supported by the UPF, and the algorithm supported by the UE. If encryption is not required, the encryption algorithm is null. If integrity protection is not required, the integrity protection algorithm is null.
In another embodiment, if the session protection mechanism is encryption/integrity protection, and the session protection mechanism directly specifies the security protection algorithm, including the encryption algorithm and the integrity protection algorithm, the SMF may directly obtain the security protection algorithm from the session protection mechanism.
In an embodiment of the present invention, the SMF may generate a user plane protection key based on a security protection algorithm. Specifically, the SMF calculates a key for encryption protection based on the determined encryption algorithm, and obtains an air interface user plane encryption key; or the SMF calculates a key for integrity protection based on the determined integrity protection algorithm to obtain an air interface user plane integrity protection key. The air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a first air interface user plane protection key.
In a specific implementation, the first air interface user plane protection key is KDF (K _ SMF, UP algorithm ID),
or, the first air interface user plane protection key is KDF (K _ SMF, UP algorithm ID, flow ID);
or, the second air interface user plane protection key is KDF (K _ SMF, UP algorithm ID, DRBID);
or, the first air interface user plane protection key is KDF (K _ SMF, UP algorithm ID, session ID);
After the K _ SMF is successfully authenticated, the AMF derives a base station key according to the authenticated basic key or the key derived again after authentication, and the AMF sends the K _ SMF to the SMF; or, after the K _ SMF is successfully authenticated, the AUSF derives the base station key according to the authenticated basic key or the key derived again after authentication, and the AUSF sends the K _ SMF to the SMF. The UP algorithm ID can be an encryption algorithm ID and can also be an integrity protection algorithm ID; the encryption algorithm ID is used to indicate the corresponding encryption algorithm, and the integrity protection algorithm ID is used to indicate the corresponding integrity protection algorithm.
10. SMF sends user surface protection key or safety protection algorithm to UPF; accordingly, the UPF receives a user plane protection key, or security protection algorithm.
11. SMF sends session ID, QoS flow ID, security protection algorithm, QFISP, session protection mechanism to AN through AMF.
12. The AN sends a session ID, a QoS flow ID, a security protection algorithm, a QFISP and a session protection mechanism to the UE.
13. The UE determines a user plane protection key.
It should be noted that, for the parts not described in detail in this embodiment, reference may be made to the description related to the embodiment in fig. 13.
It should be further noted that, in the above method flow of this embodiment, the following embodiments may exist:
Possibility 1: in step 4, the session establishment procedure may also be initiated by the AMF, i.e. the AMF sends a session request to the SMF. In this case, the user equipment identity (UE ID), the UE security capability, the indicator, or the DNN, the service ID, the UE service ID, etc. in the session request may be obtained by the AMF from the received attach request, where the attach request carries the above information.
Possibility 2: in a possible embodiment, the content of step 7 and step 8 may be replaced by: the PCF determines the session protection mechanism directly and sends the session protection mechanism to the SMF.
Possibility 3: the flow ID and the session ID may be generated before the SMF sends the policy request.
Possibility 4: if the session protection mechanism includes a specific security protection algorithm, then the SMF may also send the session protection mechanism to the UPF, and the UPF obtains the security protection algorithm in the session protection mechanism.
Possibility 5: if the QFISP does not include the security protection algorithm, step 9 and step 13 may also implement security protection by:
(alternative step 9) the SMF calculates a first K _ UP, K _ UP ═ KDF (K _ SMF, session ID); or K _ UP ═ KDF (K _ SMF, QoS flow ID);
(alternative step 10) the SMF sends the session ID, QFI and the first K _ UP to UPF.
(alternative step 11) the SMF sends the session ID, QFI, session protection mechanism and QFISP to the AN through the AMF.
(alternative step 12) the AN sends the session ID, QFI, session protection mechanism and QFISP to the UE;
(alternative step 13) the UE generates a second K _ UP based on the K _ SMF. And K _ SMF is a key derived by the UE according to the key after authentication or the key derived again after authentication.
(addition step 14) the UPF renegotiates the security protection algorithm with the UE, and then generates a user plane protection key of the UPF and a user plane protection key of the UE based on the first K _ UP and the second K _ UP, respectively.
It can be seen that the main difference between the embodiment in fig. 15 and the embodiment in fig. 11 is that policy negotiation is performed between UE-CNs using session-based transmission channel granularity, and in this process, the AN does not need security setting.
The embodiment of the invention can realize a communication framework based on the future 5G, in the session establishment process, the UE-CN finishes the strategy negotiation based on the session transmission channel granularity, and after the PCF determines the user plane protection mechanism, the UE and the CN respectively determine the user plane protection key, thereby realizing the safety protection of the user plane data. The embodiment of the invention can realize the network security protection between the UE and the core network, avoid the defect of hop-by-hop segmented protection mode and improve the security of user plane data transmission.
To facilitate understanding of the solution of the embodiment of the present invention, some operation flows of applying the session-based key configuration method in fig. 15 in uplink transmission and downlink transmission of user plane data are illustrated below based on the UE-CN, and are described in detail as follows:
(1) and the user plane data is based on the uplink transmission process of the secret key configuration method of the session.
On the UE side, when the user plane data needs to be transmitted in an uplink mode, the UE determines a session ID according to the user data, and then confirms that the session ID corresponds to a security protection mechanism (session protection mechanism) to obtain a security protection algorithm which comprises an encryption algorithm and an integrity protection algorithm; therefore, the UE performs security protection of the user plane data using the corresponding protection key based on the ciphering algorithm and the integrity protection algorithm.
And on the UPF side, the UPF confirms the session ID according to the QFI, finally determines a security protection mechanism (session protection mechanism) corresponding to the session ID, obtains a security protection algorithm comprising an encryption algorithm and an integrity protection algorithm, and after the UPF obtains the user plane data uploaded by the UE, performs security protection on the user plane data by adopting a corresponding key based on the encryption algorithm and the integrity protection algorithm.
(2) And a downlink transmission process of the user plane data based on the session key configuration method.
On the UPF side, when the user plane data needs to be transmitted in a downlink manner, the UPF confirms a security protection mechanism (session protection mechanism) according to the session ID to obtain a security protection algorithm, wherein the security protection algorithm comprises an encryption algorithm and an integrity protection algorithm, and the user plane data is subjected to security protection by adopting a corresponding key based on the encryption algorithm and the integrity protection algorithm.
On the UE side, the UE confirms the QoS flow ID according to the DRB ID, further confirms the session ID, finally determines a security protection mechanism (session protection mechanism) corresponding to the session ID, obtains a security protection algorithm comprising an encryption algorithm and an integrity protection algorithm, and can adopt corresponding keys to perform security protection on user plane data based on the encryption algorithm and the integrity protection algorithm. Optionally, the session ID may be directly determined according to the DRB ID; or, optionally, the UE determines the session ID according to the data format.
As shown in fig. 16, the following key configuration method provided in the embodiment of the present invention, based on UE-AN, includes the following steps:
1-3, in the process of attaching the network, the UE sends AN attachment request to the AUSF through the AN and the AMF,
the AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a valid user.
In the embodiment of the present invention, the attach request at least includes a user equipment identity (UE ID).
4. The UE sends a session Request to the AMF, wherein the session Request comprises a session ID, a Request type and DNN. Where the Request type parameter includes two possibilities. The Request type indicates that an existing PDU session is used (as denoted by "existing PDU session") or indicates Initial session initiation (as denoted by "Initial Request"). In addition, optionally, the session request may further include at least one of a service ID, a UE service ID, and an APP ID, and optionally, the session request may further include indication information (indicator) of security requirements.
5. The AMF sends the UE ID, the session ID, the Request type, the DNN to the SMF. The UE ID may be a UE ID obtained by AMF in the above authentication, where the AMF determines the UE ID according to a transmission protocol between the UE and the AMF, that is, determines to find the UE ID according to AMF UE N2-AP ID of signaling between the UE and the AMF; it is also possible that the session request sent by the UE has a UE ID, or the session request sent by the UE has a temporary ID, which the AMF corresponds to as the UE ID.
6. If the Request type indicates that the existing PDU session (such as an existing PDU session) is used, the SMF determines the existing user plane protection mechanism corresponding to the session ID according to the session ID at the moment, and the user plane protection mechanism corresponding to the session ID is used as the user plane protection mechanism of the session.
If the Request type indicates that a new PDU session is established (e.g., "Initial Request"), then SMF continues execution.
If the SMF does not store the registration information related to the DNN, the SMF sends the UE ID and the DNN to the UDM and receives a subscription security protection mechanism from the UDM. Or, the UDN does not store the subscription security protection mechanism corresponding to the UE ID and the DNN, and at this time, the UDM sends the default security protection mechanism stored in the UDM to the SMF as the subscription security protection mechanism, or the UDM sends an empty security protection mechanism identifier to the SMF. The default security protection mechanism stored within the UDM may be to use only encryption protection, or only integrity protection, or both encryption and integrity protection. Alternatively, the default user plane protection mechanism indicates which security algorithm to use for protection, such as encryption protection using only the AES algorithm, or integrity protection using only the Snow 3G security algorithm, or both encryption using the AES algorithm and integrity protection using the Snow 3G security algorithm.
7. The SMF determines whether a dynamic policy control mechanism has been deployed.
If the dynamic policy control mechanism is not deployed, the SMF adopts a subscription security protection mechanism as the security protection mechanism of the session, and jumps to step 10 to execute. It is also possible that the SMF does not store or obtain the subscription security protection mechanism, and at this time, the SMF adopts the default user plane protection mechanism and jumps to step 10 for execution. It is also possible that the SMF does not store or obtain the subscription security protection mechanism, and at this time, the SMF adopts the user plane protection mechanism indicated by the indicator and skips to step 10 for execution. The default user plane protection mechanism may be to use only encryption protection, or only integrity protection, or both encryption and integrity protection. Alternatively, the default user plane protection mechanism indicates which security algorithm to use for protection, such as encryption protection using only the AES algorithm, or integrity protection using only the Snow 3G security algorithm, or both encryption using the AES algorithm and integrity protection using the Snow 3G security algorithm.
If the network has deployed a dynamic policy control mechanism, the SMF sends the UE ID and DNN to the PCF. In addition, the SMF may also receive at least one of the service ID, the UE service ID and the APP ID from the UE or the AMF, and the SMF may send the UE ID and the DNN to the PCF, or may send at least one of the service ID, the UE service ID and the APP ID to the PCF at the same time.
8. The PCF determines a dynamic user plane protection mechanism. The method for PCF to determine the dynamic user plane protection mechanism comprises the step of determining whether a corresponding protection mechanism is stored according to at least one of DNN, service ID, UE service ID and APP ID. And if the corresponding protection mechanism is stored, taking the protection mechanism as a dynamic user plane protection mechanism. The protection mechanism stored in the PCF is sent to the PCF by the DNN, the service ID, the UE service ID, or the APP corresponding server. Otherwise, PCF sends request to DNN, service ID, UE service ID, or APP corresponding server, the request includes UE ID; and receiving security protection requirements from the server. The security protection requirement is used as a dynamic user plane protection mechanism. The security protection requirement may be that only encryption protection is used, or only integrity protection is used, or both encryption and integrity protection are used, or further that which security algorithms are used is specified, so called encryption protection algorithm and integrity protection algorithm. It is also possible that if there is no storage in the PCF, or no security protection requirement obtained from the server, the PCF may use a default security protection mechanism stored in the PCF that is either only using encryption protection, only using integrity protection, or both encryption and integrity protection. Alternatively, the default user plane protection mechanism indicates which security algorithm to use for protection, such as encryption protection using only the AES algorithm, or integrity protection using only the Snow 3G security algorithm, or both encryption using the AES algorithm and integrity protection using the Snow 3G security algorithm.
9. PCF sends dynamic user plane protection mechanism to SMF, SMF obtains the dynamic user plane protection mechanism and uses it as final user plane protection mechanism.
10. The SMF sends the user plane protection mechanism to the AMF, while sending the session ID or flow ID.
11. The AMF sends the user plane protection mechanism to the AN, while sending the session ID or flow ID. It is also possible that the SMF sends the user plane protection mechanism directly to the AN, while sending the session ID or flow ID.
12. The AN determines a security protection algorithm and a user plane protection key.
In a specific embodiment, if the user plane protection mechanism is encryption/integrity protection, and the user plane protection mechanism does not directly specify a security protection algorithm, the AN determines the security protection algorithm according to the UE security capability, the algorithm priority list supported by the AN, and the user plane protection mechanism. For example, the user plane protection mechanism requires ciphering but does not require integrity protection, and in addition, the UE security capability supports AES ciphering/ZUC ciphering, but the AN supports AES ciphering with a first priority, the AN selects the ciphering algorithm AES, and the integrity protection algorithm is a null algorithm.
In another embodiment, if the user plane protection mechanism is whether to encrypt/integrity protect, and the user plane protection mechanism directly specifies a security protection algorithm, including a ciphering algorithm and AN integrity protection algorithm, the AN may directly obtain the security protection algorithm from the user plane protection mechanism.
In AN embodiment of the present invention, the AN may generate the user plane protection key based on a security protection algorithm. Specifically, the AN calculates a key for encryption protection based on the determined encryption algorithm to obtain AN air interface user plane encryption key; or the AN calculates a key for integrity protection based on the determined integrity protection algorithm to obtain AN air interface user plane integrity protection key. The air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a first air interface user plane protection key.
In a specific implementation, the first air interface user plane protection key is KDF (K _ AN, UP algorithm ID),
alternatively, the first air interface user plane protection key is KDF (K _ AN, UP algorithm ID, flow ID),
or, KDF (K _ AN, UP algorithm ID, session ID),
or, KDF (K _ AN, UP algorithm ID, DRB ID);
alternatively, KDF (K _ AN, UP algorithm ID, slice ID);
after the K _ AN is successfully authenticated, the AMF or the SEAF deducts a base station key according to a basic key after authentication or a key obtained by deduction again after authentication, and the AMF or the SEAF sends the K _ AN to the AN; the UP algorithm ID can be an encryption algorithm ID and can also be a complete protection algorithm ID; the DRB ID may be the DRB ID assigned by the AN for this service. KDF is a Key Derivation Function (KDF) including, but not limited to, the following cryptographic Derivation functions: HMAC (e.g., HMAC-SHA256, HMAC-SHA1), NMAC, CMAC, OMAC, CBC-MAC, PMAC, UMAC and VMAC, HASH algorithms, and the like
13. The AN sends a session ID, a flow ID, a security protection algorithm and a user plane protection mechanism to the UE.
The user plane protection mechanism may be carried in a Qos rule and sent to the UE.
In addition, the user plane protection mechanism is optional.
14. The UE determines a protection key.
The UE acquires a session ID, a user plane security algorithm, a user plane protection mechanism and K _ AN, and correspondingly generates a user plane protection key;
specifically, the UE calculates a key for encryption protection based on the received encryption algorithm to obtain an air interface user plane encryption key; or, the UE calculates a key for integrity protection based on the received integrity protection algorithm, and obtains an air interface user plane integrity protection key. The air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a second air interface user plane protection key.
In a specific implementation, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID),
alternatively, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID, flow ID),
or, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID, session ID),
or, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID, DRB ID);
Or, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID, slice ID);
and after the K _ AN is successfully authenticated, the UE derives a base station key according to the authenticated basic key or the key derived again after authentication. The UP algorithm ID can be an encryption algorithm ID and can also be a complete protection algorithm ID; the DRB ID may be the DRB ID assigned by the AN for this service. KDF is a Key Derivation Function (KDF) including, but not limited to, the following cryptographic Derivation functions: HMAC (e.g., HMAC-SHA256, HMAC-SHA1), NMAC, CMAC, OMAC, CBC-MAC, PMAC, UMAC and VMAC, and HASH algorithms, among others.
It should be noted that, in the above method flow of this embodiment, the following embodiments may exist:
possibility 1: in step 4, the session establishment procedure may also be initiated by the AMF, i.e. the AMF sends a session request to the SMF. In this case, the user equipment identity (UE ID), the UE security capability, the indicator, or the DNN, the service ID, the UE service ID, etc. in the session request may be obtained by the AMF from the received attach request, where the attach request carries the above information.
Possibility 2: the flow ID and the session ID may be generated before the SMF sends the policy request.
Possibility 3: step 6 is optional, and the SMF does not use the request type to judge whether to adopt the old user plane security mechanism. The SMF needs to renegotiate the user plane security mechanism each time a session is established.
Possibility 4: steps 1-9 may be taken alone as an embodiment of the user plane security mechanism determination. The user plane security mechanism may be used for security protection between future UEs and the AN, or between a user UE and the CN.
Possibility 5: steps 10-13 may be taken alone as AN embodiment for the UE to establish a secure channel with the AN.
The embodiment of the invention can realize a communication architecture based on the future 5G, in the related process of session establishment, UE-AN completes the strategy negotiation based on PDU session transmission channel granularity, PCF determines the user plane protection mechanism according to the safety requirements (including the safety requirements of different services) required by the user equipment side and the safety requirements preset by the network side, and UE and AN respectively determine the safety protection algorithm and the secret key, thereby realizing the safety protection of the user plane data.
As shown in fig. 17, the difference between the embodiment of the present invention and the embodiment shown in fig. 16 is that a user plane security mechanism is finally used for security protection between the UE and the UPF. The key configuration method provided by the embodiment of the invention comprises the following steps:
Steps 1-9 can be seen with reference to FIG. 16.
10. The SMF obtains a user plane security mechanism, determines a security protection algorithm and determines a user plane protection key.
In a specific embodiment, if the user plane protection mechanism only includes a description of whether to encrypt/whether to perform integrity protection, the SMF determines whether the user plane protection mechanism between the UE and CN needs to encrypt and whether to perform integrity protection, and then the SMF determines a security protection algorithm according to the received UE security capability and an algorithm priority list supported by the UPF, where the algorithm priority list supported by the UPF may be preset in the SMF or preset in the UPF, and the SMF obtains the algorithm priority list supported by the UPF from the UPF. For example, when the user plane protection mechanism is "encryption required + integrity protection required", the SMF determines that the encryption algorithm is AES and the integrity protection algorithm is AES according to the UE security capability, the algorithm priority list supported by the UPF, and the algorithm supported by the UE.
In another embodiment, the user plane protection mechanism directly formulates a designated security protection algorithm, and the SMF may directly obtain the security protection algorithm from the user plane protection mechanism. After determining the user plane protection mechanism, the SMF may determine an air interface protection algorithm based on an algorithm priority list supported by the UPF, an algorithm supported by the UE, and a security capability of the UE, where the algorithm priority list supported by the UPF may be preset in the SMF or preset in the UPF, and the SMF obtains the algorithm priority list supported by the UPF from the UPF. For example, under a user plane protection mechanism of "encryption required + integrity protection required", the SMF further determines that the encryption algorithm is AES and the integrity protection algorithm is AES, and carries the security protection algorithm in the user plane protection mechanism. In this case, since the user plane protection mechanism directly specifies the encryption algorithm and the integrity protection algorithm, the SMF can directly acquire the encryption algorithm and the integrity protection algorithm from the user plane protection mechanism after acquiring the user plane protection mechanism.
In a possible embodiment, after determining the security protection algorithm, the SMF may further determine a user plane protection key, specifically:
the user plane protection key KDF (K _ SMF, UP algorithm ID),
alternatively, the user plane protection key is KDF (K _ SMF, UP algorithm ID, flow ID),
alternatively, the user plane protection key is KDF (K _ SMF, UP algorithm ID, session ID),
or, the user plane protection key is KDF (K _ SMF, UP algorithm ID, DRB ID);
or, the user plane protection key is KDF (K _ SMF, UP algorithm ID, slice ID);
and after the K _ SMF is successfully authenticated, the AMF/SEAF derives a key according to the authenticated key or the key derived again after authentication. Specifically, the AMF/SEAF sends K _ SMF to SMF; or after the K _ SMF is successfully authenticated, the AUSF derives the key according to the key after authentication or the key derived again after authentication, and the AUSF sends the K _ SMF to the SMF. The UP algorithm ID may be an encryption algorithm ID or an integrity protection algorithm ID. It is also possible that the key of the user plane protection key is calculated based on a key derived from K _ SMF, for example, K _ UP KDF (K _ SMF, session ID) and the user plane protection key KDF (K _ UP, UP algorithm ID).
11. SMF sends security protection algorithm or user surface protection key to UPF, and UPF receives security protection algorithm or user surface protection key correspondingly.
In a possible embodiment, if the UPF receives only the security protection algorithm and does not receive the user plane protection key, the UPF may calculate a user plane protection key (refer to the above-mentioned related description) based on the security protection algorithm and the K _ SMF, where the user plane protection key is the user plane protection key of the UPF. After the K _ SMF is successfully authenticated, the AMF/SEAF derives a key according to the authenticated key or a key derived again after authentication, and specifically, the AMF/SEAF sends the K _ SMF to the UPF through the SMF; or after the K _ SMF is successfully authenticated, the AUSF derives the key according to the key after authentication or the key derived again after authentication, and the AUSF sends the K _ SMF to the UPF. Wherein the security protection algorithm may be a security protection algorithm determined by the UPF according to the algorithm priority list of the UPF and the algorithm list of the UE. Here the UE's algorithm list may have SMFs sent to UPFs.
In a possible embodiment, if the UPF receives the user plane protection key, the user plane protection key is taken as the user plane protection key of the UPF.
12. The SMF sends a security protection algorithm and a user plane protection mechanism to the AMF, wherein the user plane protection mechanism is optional.
It should be noted that, if the security protection algorithm is determined by the SMF according to the received UE security capability, the algorithm priority list supported by the UPF, and the like, the SMF sends the security protection algorithm to the AMF;
Optionally, the SMF sends a security protection algorithm to the AMF, specifically: and the SMF sends a session response to the AMF, wherein the session response carries a security protection algorithm.
It should be noted that if the security protection algorithm is determined by the AMF based on the UPF supported algorithm priority list, the UE supported algorithms, and the UE security capability, the SMF does not need to send the security protection algorithm to the AMF.
13. The AMF sends a security protection algorithm and a user plane protection mechanism to the AN, wherein the user plane protection mechanism is optional.
14. And the AN sends a security protection algorithm and a user plane protection mechanism to the UE, wherein the user plane protection mechanism is optional.
15. And the UE generates a user plane protection key according to the user plane security algorithm, the user plane protection mechanism and the K _ SMF. Or the UE generates a user plane protection key according to the user plane security algorithm and the K _ SMF.
In a possible embodiment, after receiving the security protection algorithm, the UE may further determine a user plane protection key, where the user plane protection key is the user plane protection key of the UE, specifically:
the user plane protection key KDF (K _ SMF, UP algorithm ID),
alternatively, the user plane protection key is KDF (K _ SMF, UP algorithm ID, flow ID),
Alternatively, the user plane protection key is KDF (K _ SMF, UP algorithm ID, session ID),
or, the user plane protection key is KDF (K _ SMF, UP algorithm ID, DRB ID);
or, the user plane protection key is KDF (K _ SMF, UP algorithm ID, slice ID);
or adding user plane protection mechanism parameters in the derivation function input. After the authentication is successful, the UE derives a key according to the authenticated key or the key derived again after the authentication, where the UP algorithm ID may be an encryption algorithm ID or an integrity protection algorithm ID. It is also possible that the key of the user plane protection key is calculated based on a key derived from K _ SMF, for example, K _ UP KDF (K _ SMF, session ID) and the user plane protection key KDF (K _ UP, UP algorithm ID).
It should be noted that, in the above method flow of this embodiment, the following embodiments may exist:
possibility 1: if the AMF does not need the information of the indicator in the process of determining the user plane protection mechanism, the UE may not send the indicator to the network side (or the indicator may not be included in the attach request).
Possibility 2: in this embodiment, the order of the above process steps is not limited, for example, step 8 and step 9 may be performed simultaneously, and step 8 may also be placed before or after step 9.
Possibility 3: in step 4, the session establishment procedure may also be initiated by the UE, that is, the UE sends a session request to the SMF through the AMF.
Possibility 4: if the user plane protection mechanism comprises a specific security protection algorithm, the AMF can also send the user plane protection mechanism to the UPF through the SMF, and the UPF acquires the security protection algorithm in the user plane protection mechanism.
Possibility 5: if the user plane protection mechanism does not include the security protection algorithm, then steps 7-12 can also implement security protection by:
(alternative steps 7, 8) the SMF calculates a first K _ UP, K _ UP ═ KDF (K _ SMF, session ID); or K _ UP ═ KDF (K _ SMF, QoS flow ID);
(alternative step 9) the SMF sends the session ID, QFI and user plane protection mechanism to the AMF.
(alternative step 10) AMF sends session ID, QFI and user plane protection mechanism to AN;
(alternative step 11) the AN sends the session ID, QFI and user plane protection mechanism to the UE;
(alternative step 12) the UE generates a second K _ UP based on the K _ SMF. And K _ SMF is a key derived by the UE according to the key after authentication or the key derived again after authentication.
(addition step 13) the UPF and the UE negotiate a security protection algorithm based on the session ID, QFI and the user plane protection mechanism, and then generate a user plane protection key of the UPF and a user plane protection key of the UE based on the first K _ UP and the second K _ UP, respectively.
Possibility 6: step 6 is optional, and the SMF does not use the request type to judge whether to adopt the old user plane security mechanism. The SMF needs to renegotiate the user plane security mechanism each time a session is established.
It should be noted that, where the embodiment in fig. 17 is not described in detail, reference may be made to the description related to the embodiment in fig. 3, and the embodiment in fig. 17 is only used as an example and should not be construed as a limitation to the present invention.
It can be seen that the main difference between the embodiment in fig. 17 and the embodiment in fig. 3 is that, in an application scenario of the UE-CN, the SMF determines a user plane protection mechanism according to security requirements (including security requirements of different services) required by the user equipment side and security requirements preset by the network side in a relevant flow of session establishment.
By implementing the embodiment of the invention, a communication architecture based on the future 5G can be realized, in the session establishment process, the UE-CN completes the strategy negotiation, and after the user plane protection mechanism is determined by the AMF, the UE and the CN respectively determine the user plane protection key, thereby realizing the safety protection of the user plane data. The embodiment of the invention can realize the network security protection between the UE and the core network, avoid the defect of hop-by-hop segmented protection mode and improve the security of user plane data transmission.
A session-based key configuration method provided in the embodiment of the present invention is described below from the viewpoint of granularity differentiation based on UE-AN, and as shown in fig. 18, the key configuration method provided in the embodiment of the present invention includes the following steps:
1-3, in the process of attaching the network, the UE sends AN attachment request to the AUSF through the AN and the AMF,
the AUSF performs authentication with the UE based on the UE ID, and determines that the UE is a valid user.
In the embodiment of the present invention, the attach request at least includes a user equipment identity (UE ID). In addition, optionally, the attach request may further include a service ID, a UE service ID, or a DNN, and optionally, the attach request may further include indication information (indicator) of security requirements.
4. The UE sends a session request to the SMF through the AMF, and correspondingly, the SMF receives the session request.
5. The SMF sends a policy request to the PCF.
6. The PCF determines the user plane protection mechanism.
7. The PCF sends a user plane protection mechanism (SDFSP) to the SMF, and correspondingly, the SMF obtains the user plane protection mechanism (SDFSP).
8. The SMF determines the session protection mechanism.
In the embodiment of the invention, when the user plane data needs to adopt the session transmission channel or the DRB transmission channel or the QoSflow transmission channel for data transmission, a safety protection mechanism in the data transmission can be realized based on the session.
Specifically, the SMF may determine the session protection mechanism based on SDFSP in different PCC rule. Or the SMF receives the session protection mechanism directly from the PCF.
9. The SMF sends QFISP, session protection mechanism, QoS flow ID to the AN through AMF.
In a specific embodiment, the SMF directly sends a session ID, a session protection mechanism, and a QoS flowID to the AN through the AMF;
in another embodiment, the SMF sends the QoS rule, QoS profile, QoS flow ID to the AN through the AMF. The QoS rule comprises a session protection mechanism, and the QoS rule is used for providing the session protection mechanism corresponding to the user plane data for the UE. The QoS profile includes the session protection mechanism, and the QoS profile is used to provide the session protection mechanism corresponding to the user plane data to the AN.
Optionally, the SMF may also send the session ID to the AN through the AMF.
10. The AN determines a security protection algorithm and a user plane protection key.
In a specific embodiment, if the session protection mechanism is encryption/integrity protection, and the session protection mechanism does not directly specify a security protection algorithm, the AN determines the security protection algorithm according to the UE security capability, the algorithm priority list supported by the AN, and the user plane protection mechanism. For example, the session protection mechanism requires ciphering but does not require integrity protection, and further, the UE security capability supports AES ciphering/ZUC ciphering, but the AN supports AES ciphering with a first priority, the AN selects the ciphering algorithm AES, and the integrity protection algorithm is a null algorithm.
In another embodiment, if the session protection mechanism is encryption/integrity protection, and the session protection mechanism directly specifies the security protection algorithm, including the encryption algorithm and the integrity protection algorithm, the AN may directly obtain the security protection algorithm from the session protection mechanism.
In AN embodiment of the present invention, the AN may generate the user plane protection key based on a security protection algorithm. Specifically, the AN calculates a key for encryption protection based on the determined encryption algorithm to obtain AN air interface user plane encryption key; or the AN calculates a key for integrity protection based on the determined integrity protection algorithm to obtain AN air interface user plane integrity protection key. The air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a first air interface user plane protection key.
In a specific implementation, the first air interface user plane protection key is KDF (K _ AN, UP algorithm ID),
alternatively, the first air interface user plane protection key is KDF (K _ AN, UP algorithm ID, flow ID),
or, KDF (K _ AN, UP algorithm ID, session ID),
or, KDF (K _ AN, UP algorithm ID, DRB ID);
alternatively, KDF (K _ AN, UP algorithm ID, slice ID);
After the K _ AN is successfully authenticated, the AMF derives a base station key according to a basic key after authentication or a key derived again after authentication, and the AMF sends the K _ AN to the AN; the UP algorithm ID can be an encryption algorithm ID and can also be a complete protection algorithm ID; the DRB ID may be the DRB ID assigned by the AN for this service.
11. The AN sends a session ID, a QoS flow ID, a security protection algorithm and a session protection mechanism to the UE.
The session protection mechanism may be carried in a Qos rule and sent to the UE.
Additionally, the session protection mechanism is optional.
12. The UE determines a protection key.
UE obtains session ID, QFI, user plane security algorithm, session protection mechanism and K _ AN, and generates a user plane protection key correspondingly;
specifically, the UE calculates a key for encryption protection based on the received encryption algorithm to obtain an air interface user plane encryption key; or, the UE calculates a key for integrity protection based on the received integrity protection algorithm, and obtains an air interface user plane integrity protection key. The air interface user plane encryption key and the air interface user plane integrity protection key may be collectively referred to as a second air interface user plane protection key.
In a specific implementation, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID),
Alternatively, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID, flow ID),
or, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID, session ID),
or, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID, DRB ID);
or, the second air interface user plane protection key is KDF (K _ AN, UP algorithm ID, slice ID);
and after the K _ AN is successfully authenticated, the UE derives a base station key according to the authenticated basic key or the key derived again after authentication. The UP algorithm ID can be an encryption algorithm ID and can also be a complete protection algorithm ID; the DRB ID may be the DRB ID assigned by the AN for this service. KDF is a Key Derivation Function (KDF) including, but not limited to, the following cryptographic Derivation functions: HMAC (e.g., HMAC-SHA256, HMAC-SHA1), NMAC, CMAC, OMAC, CBC-MAC, PMAC, UMAC and VMAC, and HASH algorithms, among others.
It should be noted that, for the steps not described in detail in the embodiment of fig. 18, reference may be made to the relevant description in the embodiment of fig. 11. The above-described embodiment of fig. 18 is provided as an example only and should not be construed as limiting the present invention.
It should be noted that, in the above method flow of this embodiment, the following embodiments may exist:
Possibility 1: in step 4, the session establishment procedure may also be initiated by the AMF, i.e. the AMF sends a session request to the SMF. In this case, the user equipment identity (UE ID), the UE security capability, the indicator, or the DNN, the service ID, the UE service ID, etc. in the session request may be obtained by the AMF from the received attach request, where the attach request carries the above information.
Possibility 2: the flow ID and the session ID may be generated before the SMF sends the policy request.
It can be seen that the difference between the embodiment in fig. 18 and the embodiment in fig. 11 is that the UE-AN performs policy negotiation using PDU session transport channel based granularity.
The embodiment of the invention can realize a communication architecture based on the future 5G, in the related process of session establishment, UE-AN completes the strategy negotiation based on PDU session transmission channel granularity, PCF determines the user plane protection mechanism according to the safety requirements (including the safety requirements of different services) required by the user equipment side and the safety requirements preset by the network side, and UE and AN respectively determine the safety protection algorithm and the secret key, thereby realizing the safety protection of the user plane data.
To facilitate understanding of the solution of the embodiment of the present invention, some operation flows of applying the session-based key configuration method in fig. 13 in uplink transmission and downlink transmission of user plane data are illustrated below based on the UE-AN, and are specifically described as follows:
(1) And the user plane data is based on the uplink transmission process of the secret key configuration method of the session.
At the UE side, the UE determines a session ID according to user data, and further confirms a security protection mechanism (session protection mechanism) corresponding to the session ID to obtain a security protection algorithm comprising an encryption algorithm and an integrity protection algorithm; therefore, the UE performs security protection of the user plane data using the corresponding protection key based on the ciphering algorithm and the integrity protection algorithm.
At AN side, the AN confirms QoS flow ID according to DRB ID, further confirms session ID, and finally determines session ID pair
The security protection mechanism (session protection mechanism) may be based on encryption after the AN obtains the user plane data uploaded by the UE
The algorithm and the integrity protection algorithm adopt corresponding keys to perform security protection of user plane data. Or, according to DRB ID
Directly determining a session ID; or the AN determines the QPI according to the QPI of the protocol stack or marking in the protocol stack.
(2) And a downlink transmission process of the user plane data based on the session key configuration method.
On the AN side, when the AN needs to downlink transmit the user plane data, the AN confirms the session ID according to the QFI, further confirms the security protection mechanism (session protection mechanism), obtains the security protection algorithm comprising AN encryption algorithm and AN integrity protection algorithm, and adopts a corresponding key to perform the security protection of the user plane data based on the encryption algorithm and the integrity protection algorithm. Or, directly determining the session ID according to the DRB ID; alternatively, the security protection mechanism (session protection mechanism) is confirmed based on the session ID in the protocol stack. On the UE side, the UE confirms the QoS flow ID according to the DRB ID, further confirms the session ID, finally determines a security protection mechanism (session protection mechanism) corresponding to the session ID, obtains a security protection algorithm comprising an encryption algorithm and an integrity protection algorithm, and can adopt corresponding keys to perform security protection on user plane data based on the encryption algorithm and the integrity protection algorithm.
In the above embodiments, it should be noted that: the secondary authentication may be an optional step. If the secondary authentication is performed, the SMF or the AMF may determine whether to authorize the UE to access the session according to the result of the secondary authentication. Authentication is successful, representing that the UE is allowed to access the session, and further performing a decision of a user plane security mechanism. It is also possible that the SMF or the AMF may determine whether to perform the decision of the user plane security mechanism according to the result of the secondary authentication.
In the above embodiments, it should be further explained that: the ID and parameters, part of ID and requirement used by the UE, AN or UPF in the user plane protection key derivation may be sent to the UE, AN or UPF through a core network element (e.g., AMF, SMF, SEAF, etc.), so that the UE, AN or UPF may correctly derive the user plane protection key. In addition, the ID and parameters used in the UE may also be sent to the UE through AN or UPF.
In the above embodiments, it should be further noted that the user plane security mechanism may be a priority list of the algorithm. At this time, after the AN or UPF, the user plane security algorithm can be determined according to the user plane security mechanism, the UE security capability and the security algorithm supported by the AN/UPF. For example, the algorithm with the highest priority in the user plane security mechanism is selected, and the security algorithm simultaneously supported by the UE and the AN/UPF is used as the user plane security algorithm.
In the above embodiments, it should be further explained that:
(1) for embodiments employing SMF to determine the user plane security mechanism, the following possibilities need to be supported:
the SMF first determines whether a PCF needs to be requested (or a dynamic user plane security mechanism needs to be requested) according to the registration information of the UE, and then obtains the user plane security mechanism responded by the PCF.
If the request PCF is not needed (or a dynamic user plane security mechanism is not needed), the SMF determines the user plane protection mechanism of the UE according to the user plane security mechanism preset in the UE registration information. Or the SMF obtains the signed service data from the UDM by sending the DNN, the service ID or the DNN and the service ID to the UDM, and the SMF determines a user plane protection mechanism of the UE according to a user plane security mechanism preset in the signed service data.
If a request for PCF is required (or a dynamic user plane security mechanism is required), SMF sends a policy request and further obtains the user plane security mechanism from PCF. This is the same as the process of requesting PCF in the above embodiment.
(2) For embodiments employing AMF to determine the user plane security mechanism, the following possibilities need to be supported:
the AMF firstly judges whether a PCF (or a dynamic user plane security mechanism) needs to be requested or not according to the registration information of the UE, and then obtains the user plane security mechanism responded by the PCF.
If the request PCF is not needed (or a dynamic user plane security mechanism is not needed), the AMF determines the user plane protection mechanism of the UE according to the user plane security mechanism preset in the UE registration information. Or the AMF obtains the signed service data from the UDM by sending the DNN, the service ID or the DNN and the service ID to the UDM, and the AMF determines a user plane protection mechanism of the UE according to a user plane security mechanism preset in the signed service data.
If the PCF needs to be requested (or a dynamic user plane security mechanism is needed), the AMF sends a policy request and further obtains the user plane security mechanism from the PCF. This is the same as the process of requesting PCF in the above embodiment.
(3) For embodiments where SMF determines the user plane security mechanism, the following possibilities need to be supported:
the SMF receives a Request type parameter, wherein the parameter can be that the UE sends the Request type to the AMF, the AMF sends the Request type to the SMF, or the UE directly sends the Request type to the SMF.
The Request type parameter includes two possibilities. If the Request type indicates that the existing PDU session (such as an existing PDU session) is used, the SMF determines the existing user plane security mechanism corresponding to the session ID according to the session ID at the moment, and the existing user plane security mechanism is adopted as the user plane security mechanism of the session. If the Request type indicates to establish a new PDU session (e.g., "Initial Request"), the user plane security mechanism is determined according to the procedure of the above embodiment.
It is also possible that the SMF determines whether a new user plane security mechanism needs to be determined based on obtaining parameter 1 from the UDM or the AMF. Specifically, the parameter 1 may be that the SMF sends a request to the UDM for acquisition; or the SMF receives from the AMF, in which case parameter 1 may be obtained for the AMF in a UDM request. Parameter 1, indicating whether a new user plane security mechanism is required.
(4) For embodiments employing SMF to determine the user plane security mechanism, the following possibilities need to be supported:
the SMF first determines whether a PCF is required to be requested (or whether a dynamic user plane security mechanism is required) according to whether dynamic policy configuration is required, and then obtains the user plane security mechanism responded by the PCF.
If the request PCF is not needed (or a dynamic user plane security mechanism is not needed), the SMF determines the user plane protection mechanism of the UE according to the user plane security mechanism preset in the UE registration information. Or the SMF obtains the signed service data from the UDM by sending the DNN, the service ID or the DNN and the service ID to the UDM, and the SMF determines a user plane protection mechanism of the UE according to a user plane security mechanism preset in the signed service data. Or, the SMF adopts a preset default user plane security mechanism as the user plane security protection mechanism of this time.
If a request for PCF is required (or a dynamic user plane security mechanism is required), SMF sends a policy request and further obtains the user plane security mechanism from PCF. This is the same as the process of requesting PCF in the above embodiment.
(5) For embodiments employing SMF to determine the user plane security mechanism, the following possibilities need to be supported:
the SMF receives a Request type parameter, wherein the parameter can be that the UE sends the Request type to the AMF, the AMF sends the Request type to the SMF, or the UE directly sends the Request type to the SMF.
The Request type parameter includes two possibilities. If the Request type indicates that the existing PDU session (such as 'existing PDU session') is used, the SMF determines the existing user plane security mechanism corresponding to the session ID according to the session ID at the moment, and the existing user plane security mechanism is used as the user plane security mechanism of the session. If the Request type indicates to establish a new PDU session (e.g., "Initial Request"), execution continues if the Request type indicates "Initial Request".
The SMF first determines whether a PCF is required to be requested (or whether a dynamic user plane security mechanism is required) according to whether dynamic policy configuration is required, and then obtains the user plane security mechanism responded by the PCF.
If the request PCF is not needed (or a dynamic user plane security mechanism is not needed), the SMF determines the user plane protection mechanism of the UE according to the user plane security mechanism preset in the UE registration information. Or the SMF obtains the signed service data from the UDM by sending the DNN, the service ID or the DNN and the service ID to the UDM, and the SMF determines a user plane protection mechanism of the UE according to a user plane security mechanism preset in the signed service data. Or, the SMF adopts a preset default user plane security mechanism as the user plane security protection mechanism of this time.
If a request for PCF is required (or a dynamic user plane security mechanism is required), SMF sends a policy request and further obtains the user plane security mechanism from PCF. This is the same as the process of requesting PCF in the above embodiment.
(6) For embodiments employing SMF to determine the user plane security mechanism, the following possibilities need to be supported:
fig. 11, 12, 13, 14, 15, 16, 17, and 18 correspond to embodiments in which the SMF may determine the user plane security mechanism itself without sending a policy request message to the PCF. For example, the method of the SMF determining the user plane security protection mechanism may be based on the method of the embodiment of fig. 7.
(7) For embodiments employing PCF to determine the user plane security mechanism, the following possibilities need to be supported:
The PCF determines the user plane security protection mechanism according to the default security configuration.
(8) For the method for generating the user plane protection key based on K _ SMF in the above embodiment, the following possibilities need to be considered:
the key of the user plane protection key is calculated based on the key derived from the K _ SMF, for example, K _ UP — KDF (K _ SMF, session ID), and the user plane protection key — KDF (K _ UP, UP algorithm ID); the K _ UP may also be generated in the following manner K _ UP — KDF (K _ SMF, flow ID), or K _ UP — KDF (K _ SMF, slice ID).
(8) For the above embodiment, the following possibilities need to be considered in the generation manner of the user plane protection key: the user plane protection key is KDF (K _ SMF, UP algorithm ID, slice ID), or KDF (K _ UP, UP algorithm ID, slice ID), or KDF (K _ AN, UP algorithm ID, slice ID).
(9) With respect to the above embodiments, the following possibilities are also included, and each of the above embodiments can be independent of two solutions: the scheme 1 is a user plane protection mechanism, or a user plane security mechanism or a security policy negotiation method; scheme 2 is an air interface security algorithm and a security key generation method.
(10) For the above embodiment, the method further includes the following possibility that the AN only supports a mechanism for determining a security algorithm, does not derive AN air interface key, and sends the security algorithm or a user plane security mechanism to the UE. If the UE receives the user plane security mechanism, the UE determines the security algorithm by adopting the same method as the AN.
(11) For the above embodiment, also the possibility is included that the AN only sends the received user plane security mechanism to the UE.
(12) For the above embodiment, also including the possibility that the UE has negotiated with the AN to determine the confidentiality protection algorithm and the integrity protection algorithm. The AN then determines a security protection algorithm based on the received user plane security mechanism and the determined confidentiality protection algorithm and integrity protection algorithm, wherein the user plane security mechanism indicates whether to encrypt (or whether to integrity protect, or whether to encrypt and integrity protect simultaneously). For example, if the user plane security mechanism indicates encryption protection, the AN protects data between the UE and the AN using a determined confidentiality protection algorithm. And if the user plane security mechanism indicates integrity protection, the AN adopts a determined integrity protection algorithm to protect data between the UE and the AN. And if the user plane security mechanism indicates simultaneous encryption and integrity protection, the AN adopts a determined confidentiality protection algorithm to protect data between the UE and the AN. The AN then sends the user plane security mechanism to the UE. And the UE determines a security protection algorithm by adopting the same method as the AN according to the user plane security mechanism and the determined algorithm. It is also possible that the AN sends the determined security protection algorithm to the UE. Or, the AN sends the user plane security mechanism first, then the UE and the AN determine the confidentiality protection algorithm and the integrity protection algorithm, and finally determine the security protection algorithm according to the user plane security mechanism and the determined confidentiality protection algorithm and integrity protection algorithm.
While the foregoing is a detailed description of the methods of embodiments of the invention, and in order to facilitate a better understanding of the above-described aspects of embodiments of the invention, some of the apparatus of embodiments of the invention are provided below.
Referring to fig. 19, fig. 19 is a schematic structural diagram of a policy function network element according to an embodiment of the present invention, where the policy function network element may include a receiving module 110, a policy module 120, and a sending module 130, where details of each unit are as follows:
the receiving module 110 is configured to receive a request for communication between a user equipment and a network device; the request comprises a session identifier, a user equipment identifier and indicating information of safety requirements, wherein the indicating information of the safety requirements is used for indicating the safety requirements of the user equipment and/or the service safety requirements;
the policy module 120 is configured to determine a user plane protection mechanism based on the request and at least one of UE registration information fed back by a unified data management network element UDM, subscription service data fed back by the UDM, and service security requirements fed back by an application function network element AF; the user plane protection mechanism is used for indicating whether user plane data transmitted between the user equipment and the network equipment needs to be encrypted or integrity protected or whether encryption and integrity protection are needed simultaneously.
The sending module 130 is configured to send the user plane protection mechanism to AN Access Network (AN) device when the network device is the AN device; the AN equipment is used for determining a security protection algorithm based on the user plane protection mechanism and generating a first user plane protection key based on the security protection algorithm; the AN equipment is further used for sending the security protection algorithm to the user equipment so that the user equipment can generate a second user plane protection key based on the security protection algorithm;
the sending module 130 is further configured to send the user plane protection mechanism to an algorithm network element when the network device is a core network CN device; the algorithm network element is configured to determine a security protection algorithm based on the user plane protection mechanism, generate a first user plane protection key based on the security protection algorithm, and send the first user plane protection key to the CN device; the algorithm network element is further configured to send the security protection algorithm to the user equipment, so that the user equipment generates a second user plane protection key based on the security protection algorithm.
Optionally, the request further includes at least one of a service identifier, a user equipment service identifier, a data network identifier DNN, and a user equipment security capability.
Optionally, the request is an attach request; the attachment request is initiated by the user equipment to an authentication server network element AUSF; the attach request is used for performing bidirectional authentication between the network device and the AUSF, and is also used for triggering the policy function network element to determine a user plane protection mechanism;
or, the request is a session request; the session request is initiated by the user equipment to a session management network element (SMF), or initiated by an access and mobility management network element (AMF) to the SMF; the session request is used for establishing a session between the network device and the SMF, and is also used for triggering the policy function network element to determine a user plane protection mechanism;
or, the request is a policy request; the policy request is initiated by the SMF to the policy function network element, and the policy request is used to trigger the policy function network element to determine a user plane protection mechanism.
Optionally, the user plane protection mechanism is further configured to indicate at least one of a security protection algorithm, a key length, and a key update period that needs to be adopted for user plane data transmitted between the user equipment and the network device.
Optionally, the user plane protection mechanism is further configured to indicate a list of security protection algorithms with priorities that can be used for user plane data transmitted between the user equipment and the network device.
Specifically, the policy function network element includes one of a policy control node PCF, AN authentication server network element AUSF, AN access and mobility management function network element AMF, a session management network element SMF, and AN apparatus.
Specifically, the CN device is a user plane node UPF;
specifically, the arithmetic network element includes at least one of the PCF, the AUSF, the AMF, the SMF, and the AN device.
It should be noted that the implementation of each module unit may also correspond to the corresponding description of the method embodiments shown in fig. 3 to fig. 5, and is not described herein again.
Referring to fig. 20, an embodiment of the present invention provides another policy function network element, where the policy function network element includes a processor 210, a memory 220, a transmitter 230, and a receiver 240, and the processor 210, the memory 220, the transmitter 230, and the receiver 240 are connected (e.g., connected to each other through a bus).
The Memory 220 includes, but is not limited to, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read Only Memory (EPROM), or a portable Read Only Memory (CD-ROM), and the Memory 1302 is used for related instructions and data. The transceiver 1303 is used for receiving and transmitting data.
The transmitter 230 is used for transmitting data or signaling, and the receiver 240 is used for receiving data or signaling.
The processor 210 may be one or more Central Processing Units (CPUs), and in the case that the processor 210 is one CPU, the CPU may be a single-core CPU or a multi-core CPU.
The processor 210 is configured to read the program code stored in the memory 220, and perform the following operations:
receiving, by the receiver 240, a request for communication between the user equipment and the network device; the request comprises a session identifier, a user equipment identifier and indicating information of safety requirements, wherein the indicating information of the safety requirements is used for indicating the safety requirements of the user equipment and/or the service safety requirements;
the processor 210 determines a user plane protection mechanism based on the request and at least one of UE registration information fed back by a unified data management network element UDM, subscription service data fed back by the UDM, and service security requirements fed back by an application function network element AF; the user plane protection mechanism is used for indicating whether user plane data transmitted between the user equipment and the network equipment needs to be encrypted or integrity protected or whether encryption and integrity protection are needed simultaneously.
When the network device is AN Access Network (AN) device, sending the user plane protection mechanism to the AN device by using a transmitter 230; the AN equipment is used for determining a security protection algorithm based on the user plane protection mechanism and generating a first user plane protection key based on the security protection algorithm; the AN equipment is further used for sending the security protection algorithm to the user equipment so that the user equipment can generate a second user plane protection key based on the security protection algorithm;
when the network device is a CN device of a core network, the transmitter 230 is used to send the user plane protection mechanism to an algorithm network element; the algorithm network element is configured to determine a security protection algorithm based on the user plane protection mechanism, generate a first user plane protection key based on the security protection algorithm, and send the first user plane protection key to the CN device; the algorithm network element is further configured to send the security protection algorithm to the user equipment, so that the user equipment generates a second user plane protection key based on the security protection algorithm.
Optionally, the request further includes at least one of a service identifier, a user equipment service identifier, a data network identifier DNN, and a user equipment security capability.
Optionally, the request is an attach request; the attachment request is initiated by the user equipment to an authentication server network element AUSF; the attach request is used for performing bidirectional authentication between the network device and the AUSF, and is also used for triggering the policy function network element to determine a user plane protection mechanism;
or, the request is a session request; the session request is initiated by the user equipment to a session management network element (SMF), or initiated by an access and mobility management network element (AMF) to the SMF; the session request is used for establishing a session between the network device and the SMF, and is also used for triggering the policy function network element to determine a user plane protection mechanism;
or, the request is a policy request; the policy request is initiated by the SMF to the policy function network element, and the policy request is used to trigger the policy function network element to determine a user plane protection mechanism.
Optionally, the user plane protection mechanism is further configured to indicate at least one of a security protection algorithm, a key length, and a key update period that needs to be adopted for user plane data transmitted between the user equipment and the network device.
Optionally, the user plane protection mechanism is further configured to indicate a list of security protection algorithms with priorities that can be used for user plane data transmitted between the user equipment and the network device.
Specifically, the policy function network element includes one of a policy control node PCF, AN authentication server network element AUSF, AN access and mobility management function network element AMF, a session management network element SMF, and AN apparatus.
The CN equipment is a user plane node (UPF); the arithmetic network element comprises at least one of the PCF, the AUSF, the AMF, the SMF and the AN equipment.
Optionally, the AN device is configured to determine a security protection algorithm based on the user plane protection mechanism, and includes:
and if the user plane protection mechanism does not comprise a security protection algorithm, determining the security protection algorithm based on at least one of the user plane protection mechanism, the user equipment security capability and the algorithm priority list supported by the AN equipment.
And if the user plane protection mechanism comprises a safety protection algorithm, directly acquiring the safety protection algorithm in the user plane protection mechanism.
The optional algorithm network element is configured to determine a security protection algorithm based on the user plane protection mechanism, and includes:
and if the user plane protection mechanism does not comprise a security protection algorithm, determining the security protection algorithm based on at least one item in the user plane protection mechanism, the security capability of the user equipment and the algorithm priority list supported by the CN equipment.
And if the user plane protection mechanism comprises a safety protection algorithm, directly acquiring the safety protection algorithm in the user plane protection mechanism.
Optionally, when the network device is AN access point (AN) device, generating a first user plane protection key based on the security protection algorithm includes:
a first user plane protection Key (KDF) (K _ AN, UP algorithm ID), where K _ AN is a base station key derived by the AMF according to a basic key after authentication or a key derived again after authentication, and the AN device obtains the K _ AN from the AMF;
when the network device is a CN device, generating a first user plane protection key based on the security protection algorithm, including:
a first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID), where the K _ algorithm network element is a base station key derived by the AMF or the AUSF according to a basic key after authentication or a key derived again after authentication, and the algorithm network element obtains the K _ algorithm network element from the AMF or the AUSF after authentication;
wherein, the UP algorithm ID is the identifier of an encryption algorithm or the identifier of an integrity protection algorithm; the KDF is a key derivation function.
Optionally, the user plane data is carried through a Qos flow transmission channel;
if a QoS flow ID corresponding to a QoS flow transmission channel already exists, and the QoS flow ID corresponding to the QoS flow meets a user plane protection mechanism, or a QoS requirement, or a user plane protection mechanism and a QoS requirement, selecting the QoS flow transmission channel to transmit user plane data; otherwise, establishing a Qos flow transmission channel and generating a QoS flow ID corresponding to the Qos flow transmission channel;
if a QoS flow ID corresponding to a Qos flow transmission channel exists, and the QoS flow corresponding to the QoS flow ID meets a user plane protection mechanism, selecting the Qos flow transmission channel to transmit user plane data; otherwise, establishing a Qos flow transmission channel and generating a QoS flow ID corresponding to the Qos flow transmission channel;
wherein the Qos requirement is a requirement for a quality of service parameter in the communication network.
Optionally, the user plane data is carried through a data radio bearer DRB transmission channel;
if a data radio bearer identification (DRB ID) corresponding to a DRB transmission channel exists, and the DRB corresponding to the DRB ID meets a user plane protection mechanism, a quality of service (Qos) requirement, or a user plane protection mechanism and a quality of service (QoS) requirement, selecting the DRB transmission channel to transmit user data; otherwise, a DRB transmission channel is newly built, and a DRB ID corresponding to the DRB transmission channel is generated;
Or, if a DRB ID corresponding to the DRB transmission channel already exists and the DRB corresponding to the DRB ID satisfies the user plane protection mechanism, selecting the DRB transmission channel to transmit the user data; otherwise, a DRB transmission channel is newly established, and a DRB ID corresponding to the DRB transmission channel is generated.
Wherein, the DRB ID has a mapping relation with the user plane protection mechanism.
Optionally, the user plane data is carried through a session transmission channel;
if a session identifier (session ID) corresponding to a session transmission channel exists, and the session corresponding to the session ID meets a user plane protection mechanism, a quality of service (Qos) requirement, or a user plane protection mechanism and a quality of service (QoS) requirement, selecting the session transmission channel to transmit user data; otherwise, a session transmission channel is created, and a session ID corresponding to the session transmission channel is generated.
Or, if a session ID corresponding to the session transmission channel exists and the session corresponding to the session ID satisfies a user plane protection mechanism, selecting the session transmission channel to transmit user data; otherwise, a session transmission channel is created, and a session ID corresponding to the session transmission channel is generated.
Wherein the session ID and the user plane protection mechanism have a mapping relationship.
Optionally, a mapping from the session ID and the QoS flow ID to the DRB ID is established, and QoS flows with the same user plane protection mechanism are mapped to the same DRB.
Specifically, when the network device is AN device, generating a first user plane protection key based on the security protection algorithm includes:
the first user plane protection key is KDF (K _ AN, UP algorithm ID); or,
the first user plane protection key is KDF (K _ AN, UP algorithm ID, flow ID); or,
the first user plane protection key is KDF (K _ AN, UP algorithm ID, session ID); or,
the first user plane protection key is KDF (K _ AN, UP algorithm ID, DRB ID).
Specifically, when the network device is a CN device, generating a first user plane protection key based on the security protection algorithm includes:
the first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID); or,
the first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID, flow ID); or,
the first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID, session ID); or, the first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID, DRB ID).
In addition, an embodiment of the present invention further provides a communication system, where the communication system includes: the network comprises user equipment, a policy function network element, network equipment, a unified data management network element UDM, an application function network element AF and an algorithm network element, wherein the policy function network element is connected with the user equipment and the network equipment, the policy function network element is also connected with the UDM and the AF, and the algorithm network element is connected with the policy function network element and the network equipment, wherein:
the policy function network element is used for receiving a request for communication between user equipment and network equipment; the request comprises a session identifier, a user equipment identifier and indicating information of safety requirements, wherein the indicating information of the safety requirements is used for indicating the safety requirements of the user equipment and/or the service safety requirements;
the policy function network element is further configured to determine a user plane protection mechanism based on the request and at least one of UE registration information fed back by the UDM, subscription service data fed back by the UDM, and service security requirements fed back by the AF; the user plane protection mechanism is used for indicating whether user plane data transmitted between the user equipment and the network equipment needs to be encrypted or integrity protected or whether encryption and integrity protection are needed simultaneously.
When the network device is AN Access Network (AN) device, the policy function network element is further configured to send the user plane protection mechanism to the AN device; the AN equipment is used for determining a security protection algorithm based on the user plane protection mechanism; the AN equipment is also used for generating a first user plane protection key based on the security protection algorithm; the AN equipment is also used for sending the security protection algorithm to the user equipment; the user equipment is used for generating a second user plane protection key based on the security protection algorithm;
when the network device is a core network CN device, the policy function network element is configured to send the user plane protection mechanism to an algorithm network element; the algorithm network element is further configured to determine a security protection algorithm based on the user plane protection mechanism; the algorithm network element is further configured to generate a first user plane protection key based on the security protection algorithm; the algorithm network element is further configured to send the first user plane protection key to the CN device; the algorithm network element is further configured to send the security protection algorithm to the user equipment; the user equipment is used for generating a second user plane protection key based on the security protection algorithm.
The UDM is used for storing registration information of the UE and also used for storing subscription service data; the AF is used to store traffic security requirements.
Optionally, the request further includes at least one of a service identifier, a user equipment service identifier, a data network identifier DNN, and a user equipment security capability.
Optionally, the system further includes one or more of an authentication server network element AUSF, a session management network element SMF, and an access and mobility management network element AMF;
optionally, the request is an attach request; the attachment request is initiated to the AUSF by the user equipment; the attach request is used for performing bidirectional authentication between the network device and the AUSF, and is also used for triggering the policy function network element to determine a user plane protection mechanism;
or, the request is a session request; the session request is initiated by the user equipment to the SMF, or initiated by the AMF to the SMF; the session request is used for establishing a session between the network device and the SMF, and is also used for triggering the policy function network element to determine a user plane protection mechanism;
or, the request is a policy request; the policy request is initiated by the SMF to the policy function network element, and the policy request is used to trigger the policy function network element to determine a user plane protection mechanism.
Optionally, the user plane protection mechanism is further configured to indicate at least one of a security protection algorithm, a key length, and a key update period that needs to be adopted for user plane data transmitted between the user equipment and the network device.
Optionally, the user plane protection mechanism is further configured to indicate a list of security protection algorithms with priorities that can be used for user plane data transmitted between the user equipment and the network device.
Specifically, the policy function network element is one of a policy control node PCF, AN authentication server network element AUSF, AN access and mobility management function network element AMF, a session management network element SMF, and AN apparatus.
Specifically, the CN device is a user plane node UPF; the arithmetic network element comprises at least one of the PCF, the AUSF, the AMF, the SMF and the AN equipment.
Optionally, the AN device is configured to determine a security protection algorithm based on the user plane protection mechanism, and includes:
if the user plane protection mechanism does not comprise a security protection algorithm, the AN device is used for determining a security protection algorithm based on at least one item in the user plane protection mechanism, the user equipment security capability and the algorithm priority list supported by the AN device.
And if the user plane protection mechanism comprises a security protection algorithm, the AN equipment is used for directly acquiring the security protection algorithm in the user plane protection mechanism.
Optionally, the algorithm network element is configured to determine a security protection algorithm based on the user plane protection mechanism, and includes:
and if the user plane protection mechanism does not comprise a security protection algorithm, the algorithm network element is used for determining a security protection algorithm based on at least one item in the user plane protection mechanism, the user equipment security capability and the algorithm priority list supported by the CN equipment.
And if the user plane protection mechanism comprises a security protection algorithm, the algorithm network element is used for directly obtaining the security protection algorithm in the user plane protection mechanism.
Specifically, when the network device is AN device, the AN device is configured to generate a first user plane protection key based on the security protection algorithm, and the method includes:
a first user plane protection key is KDF (K _ AN, UP algorithm ID), where K _ AN is a base station key derived by the AMF according to a basic key after authentication or a key derived again after authentication is successful; the AN device is used for obtaining the K _ AN from the AMF;
When the network device is a CN device, the algorithm network element is configured to generate a first user plane protection key based on the security protection algorithm, and includes:
a first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID), where the K _ algorithm network element is a base station key derived by the AMF or the AUSF according to a basic key after authentication or a key derived again after authentication is successful; the algorithm network element is configured to obtain the K _ algorithm network element from the AMF or the AUSF;
wherein, the UP algorithm ID is the identifier of an encryption algorithm or the identifier of an integrity protection algorithm; the KDF is a key derivation function.
Optionally: the SMF is also used for determining that user plane data is loaded through a quality of service flow (Qos) flow transmission channel;
if a QoS flow ID corresponding to a QoS flow transmission channel already exists, wherein the QoS flow ID corresponding to the QoS flow ID meets a user plane protection mechanism, or a QoS requirement, or a user plane protection mechanism and a QoS requirement, the SMF is used for selecting the QoS flow transmission channel to transmit user plane data; otherwise, the SMF is used for newly building a Qos flow transmission channel and generating a QoS flow ID corresponding to the Qos flow transmission channel;
If a QoS flow ID corresponding to a QoS flow transmission channel exists, and the QoS flow corresponding to the QoS flow ID meets a user plane protection mechanism, the SMF is used for selecting the QoS flow transmission channel to transmit user plane data; otherwise, the SMF is used for newly building a Qos flow transmission channel and generating a QoS flow ID corresponding to the Qos flow transmission channel;
wherein the Qos requirement is a requirement for a quality of service parameter in the communication network.
Optionally: the SMF is also used for determining that the user plane data is carried through a Data Radio Bearer (DRB) transmission channel;
if a data radio bearer identification (DRB ID) corresponding to a DRB transmission channel exists, and the DRB corresponding to the DRB ID meets a user plane protection mechanism, a quality of service (Qos) requirement, or a user plane protection mechanism and a quality of service (QoS) requirement, the SMF is used for selecting the DRB transmission channel to transmit user data; otherwise, the SMF is used for newly building a DRB transmission channel and generating a DRB ID corresponding to the DRB transmission channel;
or, if there is a DRB ID corresponding to the DRB transmission channel, and the DRB corresponding to the DRB ID meets the user plane protection mechanism, the SMF is configured to select the DRB transmission channel to transmit the user data; otherwise, the SMF is used for newly building a DRB transmission channel and generating a DRB ID corresponding to the DRB transmission channel.
Wherein, the DRB ID has a mapping relation with the user plane protection mechanism.
Optionally: the SMF is used for determining that the user plane data is loaded through a session transmission channel;
if a session identifier (session ID) corresponding to the session transmission channel exists, and the session corresponding to the session ID meets a user plane protection mechanism, a quality of service (Qos) requirement, or a user plane protection mechanism and a quality of service (QoS) requirement, the SMF is used for selecting the session transmission channel to transmit user data; otherwise, the SMF is used for creating a session transmission channel and generating a session ID corresponding to the session transmission channel.
Or, if a session ID corresponding to the session transmission channel exists and the session ID corresponds to the session satisfying the user plane protection mechanism, the SMF is configured to select the session transmission channel to transmit the user data; otherwise, the SMF is used for creating a session transmission channel and generating a session ID corresponding to the session transmission channel.
Wherein the session ID and the user plane protection mechanism have a mapping relationship.
Optionally, determining a user plane protection mechanism further includes:
and establishing the mapping from the session ID and the QoS flow ID to the DRB ID, and mapping the QoS flow with the same user plane protection mechanism to the same DRB.
Specifically, when the network device is AN device, the AN device is configured to generate a first user plane protection key based on the security protection algorithm, and the method includes:
the first user plane protection key is KDF (K _ AN, UP algorithm ID); or,
the first user plane protection key is KDF (K _ AN, UP algorithm ID, flow ID); or,
the first user plane protection key is KDF (K _ AN, UP algorithm ID, session ID); or,
the first user plane protection key is KDF (K _ AN, UP algorithm ID, DRB ID).
Specifically, when the network device is a CN device, the algorithm network element is configured to generate a first user plane protection key based on the security protection algorithm, and includes:
the first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID); or,
the first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID, flow ID); or,
the first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID, session ID); or, the first user plane protection key is KDF (K _ algorithm network element, UP algorithm ID, DRB ID).
It should be noted that, for implementation of each network element in the communication system, reference may be made to the description of the method embodiments in fig. 3 to fig. 15, which is not described herein again.
One of ordinary skill in the art will appreciate that all or part of the processes in the methods of the above embodiments may be implemented by hardware related to instructions of a computer program, which may be stored in a computer-readable storage medium, and when executed, may include the processes of the above method embodiments. And the aforementioned storage medium includes: various media capable of storing program codes, such as ROM or RAM, magnetic or optical disks, etc.

Claims (11)

1. A method of determining a security policy, comprising:
the session management network element sends a first request to the unified data management network element; wherein, the first request comprises a user identification UE ID and a data network name DNN;
the unified data management network element determines subscription service data corresponding to the UE ID and the DNN, and sends the subscription service data to the session management network element;
the session management network element receives the signing service data sent by the unified data management network element and determines a user plane protection mechanism according to the signing service data; and
and the session management network element sends the user plane protection mechanism to an access and management network element, wherein the user plane protection mechanism is used for indicating whether the UE needs to encrypt the user plane data and whether the UE needs to perform integrity protection on the user plane data.
2. The method of claim 1, wherein before the session management network element sends the request to the unified data management network element, the method further comprises:
the access and management network element sends a session request to a session management network element;
the session management network element receives the session request sent by the access and management network element;
the session management network element sending a first request to a unified data management network element, including:
and responding to the session request, and sending the first request to the unified data management network element by the session management network element.
3. The method of claim 2, wherein the first request further includes a UE service identifier, wherein the UE service identifier is used to characterize an identifier of a service that needs to be transmitted at the UE;
the determining, by the unified data management network element, subscription service data corresponding to the UE ID and the DNN includes:
and the unified data management network element determines subscription service data corresponding to the UE ID, the DNN and the UE service identifier.
4. A system for determining a security policy, the system comprising a session management network element and a unified data management network element;
The session management network element is used for sending a first request to the unified data management network element; wherein, the first request comprises a user identification UE ID and a data network name DNN;
the unified data management network element is configured to determine subscription service data corresponding to the UE ID and the DNN, and send the subscription service data to the session management network element;
the session management network element is used for receiving the signing service data sent by the unified data management network element and determining a user plane protection mechanism according to the signing service data; and sending the user plane protection mechanism to an access and management network element, wherein the user plane protection mechanism is used for indicating whether the UE needs to encrypt the user plane data and whether the UE needs to perform integrity protection on the user plane data.
5. The system of claim 4, wherein the system further comprises an access and management network element;
the access and management network element is used for sending a session request to the session management network element;
the session management network element is configured to receive the session request sent by the access and management network element; and responding to the session request, and sending the first request to the unified data management network element.
6. The system according to claim 5, wherein the first request further includes a UE service identifier, wherein the UE service identifier is used to characterize an identifier of a service that needs to be transmitted at the UE;
the unified data management network element is specifically configured to determine subscription service data corresponding to the UE ID, the DNN, and the UE service identifier.
7. A method of determining a security policy, comprising:
the session management network element sends a first request to the unified data management network element; wherein, the first request comprises a user identification UE ID and a data network name DNN;
the session management network element receives the signing service data sent by the unified data management network element and determines a user plane protection mechanism according to the signing service data; and
and the session management network element sends the user plane protection mechanism to an access and management network element, wherein the user plane protection mechanism is used for indicating whether the UE needs to encrypt the user plane data and whether the UE needs to perform integrity protection on the user plane data.
8. The method of claim 7, wherein before the session management network element sends the request to the unified data management network element, the method further comprises:
The session management network element receives a session request sent by an access and management network element;
the session management network element sending a first request to a unified data management network element, including:
and responding to the session request, and sending the first request to the unified data management network element by the session management network element.
9. The method of claim 8, wherein the first request further includes a UE service identifier, and wherein the UE service identifier is used to characterize an identifier of a service that needs to be transmitted at the UE.
10. A session management network element, wherein the session management network element comprises a processor, a receiver, and a transmitter;
the transmitter is used for sending a first request to the unified data management network element; wherein, the first request comprises a user identification UE ID and a data network name DNN;
the receiver is configured to receive the subscription service data sent by the unified data management network element;
the processor is used for determining a user plane protection mechanism according to the signing service data; and
the transmitter is configured to send the user plane protection mechanism to an access and management network element, where the user plane protection mechanism is configured to indicate whether the UE needs to encrypt user plane data and whether integrity protection of the user plane data is needed.
11. The element of claim 10, wherein the first request further includes a UE service identifier, and wherein the UE service identifier is used to characterize an identifier of a service that needs to be transmitted by the UE.
CN201780090099.0A 2017-05-06 2017-07-31 Key configuration method, device and system Active CN110574406B (en)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
CN201710314224.3A CN108810884B (en) 2017-05-06 2017-05-06 Key configuration method, device and system
CN2017103142243 2017-05-06
PCT/CN2017/091511 WO2018205394A1 (en) 2017-05-06 2017-07-03 Key configuration method, apparatus and system
CNPCT/CN2017/091511 2017-07-03
PCT/CN2017/095301 WO2018205427A1 (en) 2017-05-06 2017-07-31 Key configuration method, apparatus and system

Publications (2)

Publication Number Publication Date
CN110574406A CN110574406A (en) 2019-12-13
CN110574406B true CN110574406B (en) 2021-04-20

Family

ID=64054643

Family Applications (3)

Application Number Title Priority Date Filing Date
CN201710314224.3A Active CN108810884B (en) 2017-05-06 2017-05-06 Key configuration method, device and system
CN201910640768.8A Active CN110493774B (en) 2017-05-06 2017-05-06 Key configuration method, device and system
CN201780090099.0A Active CN110574406B (en) 2017-05-06 2017-07-31 Key configuration method, device and system

Family Applications Before (2)

Application Number Title Priority Date Filing Date
CN201710314224.3A Active CN108810884B (en) 2017-05-06 2017-05-06 Key configuration method, device and system
CN201910640768.8A Active CN110493774B (en) 2017-05-06 2017-05-06 Key configuration method, device and system

Country Status (5)

Country Link
US (1) US20200084631A1 (en)
EP (1) EP3611949A4 (en)
CN (3) CN108810884B (en)
BR (1) BR112019023236A2 (en)
WO (2) WO2018205394A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110493774A (en) * 2017-05-06 2019-11-22 华为技术有限公司 Cipher key configuration method, apparatus and system

Families Citing this family (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10440159B2 (en) * 2017-08-03 2019-10-08 T-Mobile Usa, Inc. Header modification for supplementary services
WO2019223005A1 (en) * 2018-05-25 2019-11-28 Qualcomm Incorporated Mixed mode multicast architecture
CN110856175A (en) * 2018-08-21 2020-02-28 华为技术有限公司 Authorization method and device for user plane security
CN112956253B (en) * 2018-11-06 2022-10-04 中兴通讯股份有限公司 Method and apparatus for attaching user equipment to network slice
CN111436077B (en) * 2019-01-14 2023-05-12 大唐移动通信设备有限公司 Service establishment method, entity, device and medium
CN111491394B (en) * 2019-01-27 2022-06-14 华为技术有限公司 Method and device for user plane security protection
EP3903444A1 (en) * 2019-01-29 2021-11-03 Google LLC Integrity protection with message authentication codes having different lengths
CN111641947B (en) * 2019-03-01 2021-12-03 华为技术有限公司 Key configuration method, device and terminal
CN111756555B (en) 2019-03-28 2022-04-05 华为技术有限公司 Method, equipment and system for binding charging rules
CN111757389B (en) * 2019-03-29 2022-03-25 大唐移动通信设备有限公司 Communication device and method
CN111865872B (en) * 2019-04-26 2021-08-27 大唐移动通信设备有限公司 Method and equipment for realizing terminal security policy in network slice
CN112492584B (en) * 2019-08-23 2022-07-22 华为技术有限公司 Method, device and system for secure communication between terminal equipment and user plane network element
CN112788593B (en) * 2019-11-04 2024-07-05 阿里巴巴集团控股有限公司 Updating method, device and system of security policy
WO2021109151A1 (en) * 2019-12-06 2021-06-10 华为技术有限公司 Event report method, apparatus and system
CN113543127B (en) * 2020-03-31 2023-02-17 大唐移动通信设备有限公司 Key generation method, device, equipment and computer readable storage medium
CN113676907B (en) * 2020-04-30 2023-08-04 华为技术有限公司 Method, apparatus, device and computer readable storage medium for determining quality of service flow
TWI754950B (en) * 2020-06-02 2022-02-11 鴻海精密工業股份有限公司 A device for internet of things, a server, and a software updating method
CN112838925B (en) * 2020-06-03 2023-04-18 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium
CN112788594B (en) * 2020-06-03 2023-06-27 中兴通讯股份有限公司 Data transmission method, device and system, electronic equipment and storage medium
CN112738800A (en) * 2020-12-25 2021-04-30 中盈优创资讯科技有限公司 Method for realizing data security transmission of network slice
CN112738799A (en) * 2020-12-29 2021-04-30 中盈优创资讯科技有限公司 Method for realizing data security transmission based on strategy
CN116783917A (en) * 2021-01-30 2023-09-19 华为技术有限公司 Method, device and system for acquiring security parameters
KR20220135792A (en) * 2021-03-31 2022-10-07 삼성전자주식회사 Method and apparatus for using nas message to protect data
CN113316138B (en) * 2021-04-27 2023-04-07 中盈优创资讯科技有限公司 Application layer encryption implementation method and implementation device thereof
CN113872752B (en) * 2021-09-07 2023-10-13 哲库科技(北京)有限公司 Security engine module, security engine device, and communication apparatus
CN117527280A (en) * 2022-07-29 2024-02-06 中兴通讯股份有限公司 Security authentication method and device for user terminal to access network and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1915022A1 (en) * 2003-02-13 2008-04-23 Innovative Sonic Limited Method for storing a security start value in a wireless communications system
CN102045210B (en) * 2009-10-10 2014-05-28 中兴通讯股份有限公司 End-to-end session key consultation method and system for supporting lawful interception
WO2015144042A1 (en) * 2014-03-27 2015-10-01 西安西电捷通无线网络通信股份有限公司 Method and device for network authentication certification
CN105900503A (en) * 2014-11-27 2016-08-24 华为技术有限公司 Paging method, base station, and paging system
CN106487501A (en) * 2015-08-27 2017-03-08 华为技术有限公司 Key distribution and method of reseptance, KMC, the first and second network elements

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1941695B (en) * 2005-09-29 2011-12-21 华为技术有限公司 Method and system for generating and distributing key during initial access network process
CN101188492B (en) * 2006-11-17 2010-08-18 中兴通讯股份有限公司 System and method for realizing secure service
CN101242629B (en) * 2007-02-05 2012-02-15 华为技术有限公司 Method, system and device for selection of algorithm of user plane
CN101128061B (en) * 2007-09-27 2013-02-27 中兴通讯股份有限公司 Method and system for mobile management unit, evolving base station and identifying whether UI is encrypted
CN101232442A (en) * 2008-01-09 2008-07-30 中兴通讯股份有限公司 Tactics controlling method
CN101488847B (en) * 2008-01-18 2011-09-14 华为技术有限公司 Method, apparatus and system for data ciphering
CN101499959B (en) * 2008-01-31 2012-08-08 华为技术有限公司 Method, apparatus and system for configuring cipher key
CN101262337B (en) * 2008-02-05 2012-06-06 中兴通讯股份有限公司 Secure function control method and system
CN102149088A (en) * 2010-02-09 2011-08-10 工业和信息化部电信传输研究所 Method for protecting mobile subscriber data integrity
US8699708B2 (en) * 2010-06-29 2014-04-15 Alcatel Lucent Light-weight security solution for host-based mobility and multihoming protocols
US9386045B2 (en) * 2012-12-19 2016-07-05 Visa International Service Association Device communication based on device trustworthiness
GB2509937A (en) * 2013-01-17 2014-07-23 Nec Corp Providing security information to a mobile device in which user plane data and control plane signalling are communicated via different base stations
US10455414B2 (en) * 2014-10-29 2019-10-22 Qualcomm Incorporated User-plane security for next generation cellular networks
EP3596953B1 (en) * 2017-03-17 2023-05-31 Telefonaktiebolaget LM Ericsson (Publ) Security solution for switching on and off security for up data between ue and ran in 5g
WO2018201506A1 (en) * 2017-05-05 2018-11-08 华为技术有限公司 Communication method and related device
CN108810884B (en) * 2017-05-06 2020-05-08 华为技术有限公司 Key configuration method, device and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1915022A1 (en) * 2003-02-13 2008-04-23 Innovative Sonic Limited Method for storing a security start value in a wireless communications system
CN102045210B (en) * 2009-10-10 2014-05-28 中兴通讯股份有限公司 End-to-end session key consultation method and system for supporting lawful interception
WO2015144042A1 (en) * 2014-03-27 2015-10-01 西安西电捷通无线网络通信股份有限公司 Method and device for network authentication certification
CN105900503A (en) * 2014-11-27 2016-08-24 华为技术有限公司 Paging method, base station, and paging system
CN106487501A (en) * 2015-08-27 2017-03-08 华为技术有限公司 Key distribution and method of reseptance, KMC, the first and second network elements

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110493774A (en) * 2017-05-06 2019-11-22 华为技术有限公司 Cipher key configuration method, apparatus and system
CN110493774B (en) * 2017-05-06 2023-09-26 华为技术有限公司 Key configuration method, device and system

Also Published As

Publication number Publication date
EP3611949A1 (en) 2020-02-19
US20200084631A1 (en) 2020-03-12
WO2018205394A1 (en) 2018-11-15
BR112019023236A2 (en) 2020-05-19
CN108810884A (en) 2018-11-13
CN110493774B (en) 2023-09-26
CN110493774A (en) 2019-11-22
EP3611949A4 (en) 2020-04-22
WO2018205427A1 (en) 2018-11-15
CN110574406A (en) 2019-12-13
CN108810884B (en) 2020-05-08

Similar Documents

Publication Publication Date Title
CN110574406B (en) Key configuration method, device and system
CN109314638B (en) Secret key configuration and security policy determination method and device
US11695742B2 (en) Security implementation method, device, and system
KR102245688B1 (en) Key generation method, user equipment, apparatus, computer readable storage medium, and communication system
CN110830993B (en) Data processing method and device and computer readable storage medium
WO2018000936A1 (en) Method and apparatus for configuring key and determining security policy
WO2018079690A1 (en) Communication system, network device, authentication method, communication terminal and security device
EP2648437B1 (en) Method, apparatus and system for key generation
CN113766497B (en) Key distribution method, device, computer readable storage medium and base station
NZ755869B2 (en) Security implementation method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant